Hi! thanks Charles for your reply, but I fear it didn't helped.. the subnet for the roadwarrior I got from here : http://wiki.openswan.org/index.php/Openswan/ExtrudedSubnetRoadWarrior
But I tried it now your way .. right=%defaultroute and I removed the rightsubnet it's also not a shorewall problem, because I stopped it.. And having temporarily opened all interfaces in routestopped I have altered the drawing/config to be simular to the current implementation.. so on the roadwarrior it's still stuck at ipsec auto --up road.. some extra info: using wireshark on eth0 I get this though: source:192.168.2.2 dest:192.168.2.1 Protocol:ISAKPM Info:Identity Protection (Main Mode) and that's all it repeates When doing ip address show: on leaf it detects ipsec0, but on the roadwarrior it does not However also /etc/init.d/ipsec has started there I hope I'm giving a clear view of the situation.. Grtz, Tom Citeren Charles Steinkuehler <[EMAIL PROTECTED]>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Hendrickx wrote: > | Here's my very easy test-setup: > | > | 192.168.2.1/30 > | --------------- | > | | Privat | | > | | subnet |---- |LEAFSys| ---- |Roadwarrior pc| > | | | | | > | --------------- | |- 192.168.2.2/30 > | | 192.168.1.254 > | 192.168.1.0/24 > | > | leaf = left > | pc = right > | > | new ipsec settings which are the same on both: > | > | conn road > | left=192.168.2.1 > | leftsubnet=192.168.1.0/24 > | leftnexthop=192.168.2.2 > | [EMAIL PROTECTED] > | leftcert=firewall.pem > | right=%defaultroute > | rightnexthop=192.168.2.1 > | [EMAIL PROTECTED] > | rightcert=client.pem > | auto=start (=add at the leafsystem) > | > | to make ipsec work however I had to give in a default route, otherwise > | it wouldn't start .. So I've put on both as default route the direct > | interface pointing to each other (eth0 both) > | and only then "/etc/init.d/ipsec start" works on the leaf system the > | ipsec is now ok I guess: > | ip address show: > | ipsec0: <NOARP, UP> mtu 16260 qdisc pfifo_fast qlen 10 > | link/ether 00:10:f3:06:4c:51 brd ff:ff:ff:ff:ff:ff > | inet 192.168.2.1/30 brd 192.168.2.3 scope global ipsec0 > > Hmm...it's been quite a while since I used *swan, but IIRC you don't > want to have a rightsubnet defined for your roadwarrior, and I'm pretty > sure if you *DO* have a rightsubnet setting it should be for a network > behind the roadwarrior, and *NOT* the roadwarrior's upstream network. > > You might want to use something like: > > ~ right=%defaultroute > > to avoid having to specify an IP address and next-hop on the roadwarrior > (which will likely be on DHCP, so the values would be changing all the > time). > > Also, configuring shorewall for IPSec traffic can be tricky, and could > be why things seem to be hanging (timeouts can be very long...monitor > traffic with tcpdump or similar to verify you don't have firewall rules > causing problems). You might want to diable all firewall rules until > you get a connection going, then run shorewall and you'll know if things > break you have to fix firewall rules, not IPSec connections. > > - -- > Charles Steinkuehler > [EMAIL PROTECTED] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFID1tjLywbqEHdNFwRAj17AKCk6Xm/pn0mIxhgw/5QtkfeVPAfuQCeLyeE > +b+w8RIS56Fv3wbrM02uGVU= > =CVBs > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
