Timothy J. Massey wrote:
Hello!
I have created a certificate-based tunnel between a Leaf firewall and a Windows client using either the Windows 2000 VPN tool (http://vpn.ebootis.de/) or SSH Sentinel. In both cases, the client software establishes the connection, and according to Leaf's auth.log, the tunnel is 100% established.
However, no traffic seems to come from the Leaf firewall to the Windows client. There are no entries in shorewall.log, or any other log entry.From the Windows computer, when I ping or browse a computer behind theLeaf side of the VPN, it times out. The external interface of the Leaf box blinks, but the internal one does not. If I ping from a (Windows) client on the Leaf side to the Windows client, I get a response: Response from 10.154.19.254: Port not available (or something like that: I'll try to get it back again). The external interface does not blink.
It seems that the tunnel is up, but something is not routing properly. Where can I look? There's *nothing* in any entry in any log in /var/log at all, especially shorewall.log: it's 0 bytes.
The problem you describe can be caused if the keying traffic (UDP port 500) is allowed, but the encrypted data (ESP/Protocol 50 or AH/Protocol 51) is being blocked.
Make sure you have an entry in /etc/shorewall/tunnels for your IPSec connection, and make sure your ISP isn't dropping the encrypted traffic (smarter ISP's do this to prevent VPN software from working at home unless you pay for SOHO class access).
If your ISP is blocking the encrypted traffic, using NAT-traversal (which tunnels the encrypted data across UDP port 500) should solve the problem, but I'd suspect firewall rules first.
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
