Hello again. I have fought with this for a week now and I must be missing something. First of all, if I use a conn statement that has "%defaultroute" for right=, I get an error that the statement does not exist. However, if I use a right=(IP) and rightnexthop=(gateway), the conn statement works fine. Can anyone explain this? But... Non of the conn statements below work. My guess is that the conn statements that contain the "also=" parameter must be missing something. So I added esp=aes and auto=start or auto=add depending on the side of the connection. Still no joy. Can anyone please tell me what I am doing wrong here? If you need error logs, I can provide them.
Thanks in advance! Troy. -----Original Message----- From: Erich Titl [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 3:30 AM Cc: Troy Aden; Leaf-User (E-mail) Subject: Re: [leaf-user] IPSEC subnet routing Looking at my mail there are a few typos. Long live cut and paste :-( Erich Titl wrote: >Troy > >It is a bit confusing for me, as I am always using left for the local system, right for the remote. > >Assumptions > >S'Toon > >external IP address 135.115.157.162 >internal networks 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 > >Victoria >external IP address 24.35.38.129 >internal network 172.0.0.0/8 > >Please observe the difference in auto= between the two systems, only one should start the connection. > >At 18:59 15.11.2004 -0600, Troy Aden wrote: > > >>First of all, thanks so much for the quick reply! I am sorry to bug you a >>second time but I need some baby steps here. >>Can you please give me a example with the configs I provided. I need to see >>the "also=common_conn_params" in terms of my config. >>For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24, >>networks on router A side. And I wanted Router B to connect to ONLY those >>subnets. Can you please type in "exactly" what I would need on both router A >>(S'toon) and router B (Victoria). From that, I should be able to figure out >>what I need to do to be more pricise about the Router B networks within the >>172.0.0.0/8 range. >> >>Again.Thanks in advance!!! Sorry to be a pain. >> >>Troy. >> >> >> > >Router A (S'toon) ># basic configuration >config setup > # THIS SETTING MUST BE CORRECT or almost nothing will work; > # %defaultroute is okay for most simple cases. > interfaces=%defaultroute > # Debug-logging controls: "none" for (almost) none, "all" for lots. > klipsdebug=none > plutodebug=none > # Use auto= parameters in conn descriptions to control startup >actions. > plutoload=%search > plutostart=%search > # Close down old connection when new one using same ID shows up. > uniqueids=yes > > ># defaults for subsequent connection descriptions >conn %default > # How persistent to be in (re)keying negotiations (0 means very). > keyingtries=0 > # RSA authentication with keys from DNS. > authby=secret > pfs=yes > >conn block > auto=ignore > >conn private > auto=ignore > >conn private-or-clear > auto=ignore > >conn clear > auto=ignore > >conn packetdefault > auto=ignore > >conn victoria > right=%defaultroute > left=24.35.38.129 > leftsubnet=172.0.0.0/8 > esp=aes > auto=start > >conn victoria_1 > also=victoria > rightsubnet=192.168.161.0/24 > >conn victoria_2 > also=victoria > rightsubnet=192.168.162.0/24 > >conn victoria_3 > also=victoria > rightsubnet=192.168.163.0/24 > > >Router B (Victoria) > ># basic configuration >config setup > # THIS SETTING MUST BE CORRECT or almost nothing will work; > # %defaultroute is okay for most simple cases. > interfaces=%defaultroute > # Debug-logging controls: "none" for (almost) none, "all" for lots. > klipsdebug=none > plutodebug=none > # Use auto= parameters in conn descriptions to control startup >actions. > plutoload=%search > plutostart=%search > # Close down old connection when new one using same ID shows up. > uniqueids=yes > > > ># defaults for subsequent connection descriptions >conn %default > # How persistent to be in (re)keying negotiations (0 means very). > keyingtries=0 > # RSA authentication with keys from DNS. > authby=secret > pfs=yes > >conn block > auto=ignore > >conn private > auto=ignore > >conn private-or-clear > auto=ignore > >conn clear > auto=ignore > >conn packetdefault > auto=ignore > > >conn stoon > right=%defaultroute > rightsubnet=172.0.0.0/8 > left=135.115.157.162 > esp=aes > auto=add > >conn stoon_1 > also=stoon > leftsubnet=192.168.161.0/24 > >conn stoon_2 > also=stoon > leftsubnet=192.168.162.0/24 > >conn stoon_3 > also=stoon > leftsubnet=192.168.163.0/24 > > >HTH >Erich > >THINK >Püntenstrasse 39 >8143 Stallikon >mailto:[EMAIL PROTECTED] >PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 > > > > >------------------------------------------------------- >This SF.Net email is sponsored by: InterSystems CACHE >FREE OODBMS DOWNLOAD - A multidimensional database that combines >robust object and relational technologies, making it a perfect match >for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 >------------------------------------------------------------------------ >leaf-user mailing list: [EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user >SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
