> I'm having trouble deciding what to put in "/etc/ipsec.conf", found on
Really?? you don't say... :) Try looking at it this way: |------------- 172.16.0.100 (your PC) | |------------- 172.16.0.110 (your roomate's PC) | | 172.16.0.1 (eth1, your leaf router's private ip, gateway | of above clients) 10.0.0.10 (eth0, pretend this is a public ip) | 10.0.0.1 (your router's gateway to the internet/isp router) | | (poof, cloud) | | 10.12.12.1 (your friend's internet gateway) | 10.12.12.10 (eth0, public side of your friends leaf router) | 192.168.0.1 (eth1, your friend's leaf router, private ip) | | |------------- 192.168.0.200 (his PC) | |------------- 192.168.0.220 (his roomate's PC) > The "next hop" for each side of either setup in the first 2 examples > is the outside interface of the other LEAF router. This is the same > value as "left", so the choice is whether to put the same value in > both or just don't define "nexthop". I'm not sure if I understand this part. Are you saying left nexthop is the same as right, and rightnexthop is the same as left? If this is the case, that's not correct. Left is 10.0.0.10 and leftnexthop is 10.0.0.1; right is 10.12.12.10 and rightnexthop is 10.12.12.1. For your rf_bridge connection, you can specifiy %direct for both nexthops. Or, if I'm not mistaken, I believe it will default to %direct if nexthop is unspecified. As for the dsl_link connection, this looks the same as your RF bridge setup. So %direct should do it. isp_link looks fine the way it is. > I don't understand why the IPSEC configuration needs a "next hop" > anyway. Aren't the routers smart enought to forward the packets given > the external IP address of the other IPSEC/LEAF router? It's a kludge, read this: http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/quickstart.html "Due to an unfortunate interaction between FreeS/WAN and the kernel routing code, you must specify leftnexthop (the router which left sends packets to in order to get them delivered to right) and rightnexthop (vice versa). The *nexthop parameters will be eliminated in a future release, but perhaps not soon. We know they should go, but getting them out is not a simple problem. For now, live with them." More info from http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/quickstart.html: << Using slightly different descriptions Provided both machines do IPsec over the interface that is their default route to the Internet (a common case, but by no means the only one) you can simplify the description somewhat. When using left=%defaultroute, you do not need to specify leftnexthop. left does not need to know rightnexthop either, so on left the connection description can be: conn sample # left security gateway (public-network address) left=%defaultroute # subnet behind left (omit if there is no subnet) leftsubnet=172.16.0.0/24 # right s.g., subnet behind it right=10.12.12.1 rightsubnet=192.168.0.0/24 auto=start On right it is: conn sample # left security gateway (public-network address) left=10.0.0.1 # subnet behind left (omit if there is no subnet) leftsubnet=172.16.0.0/24 # right s.g., subnet behind it right=%defaultroute rightsubnet=192.168.0.0/24 auto=start >> http://www2.frell.ambush.de/archives/freeswan-design/1334.html: > On Sun, 30 Dec 2001, Jean-Michel POURE wrote: > > This does not work for me. I have to set-up leftnexthop and righnexthop... Is > > this a bug? > > Not exactly. It is a documented property of our current software that, > except for a few unusually favorable cases, (left/right)nexthop must be > supplied (perhaps with the help of %defaultroute) and must be correct. > They are *not* optional. There is a reason why our documentation tells > you to fill them in. > > Mind you, it is a serious blemish that they are necessary. We intend to > eliminate the requirement for them eventually. Unfortunately, this is not > easy to do, in the general case, and so it will not happen quickly. > > Henry Spencer > henry_at_spsystems.net I find that I generally don't have to specifiy the rightnexthop. -cpu Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html