On Mon, March 27, 2006 3:01 pm, Rod.. Whitworth wrote: > On Mon, 27 Mar 2006 14:26:19 -0500 (EST), Nikolai N. Fetissov wrote: > >>On Sun, March 26, 2006 9:53 pm, Rod.. Whitworth wrote: >>> 3.9 i386 build #617 snapshot: >>> >>> I have an ipsec.conf at one end of a tunnel- >>> ike esp from 192.168.1.0/24 to 192.168.0.0/24 peer 61.95.94.130 >>> ike esp from 138.130.27.231 to 192.168.0.0/24 peer 61.95.94.130 >>> ike esp from 138.130.27.231 to 61.95.94.130 >>> >>> One of the machines on 192.168.1.0/24 wants to connect to 61.95.94.139 >>> but an attemp to do so is unsuccessful as there is nothing in the >>> routing table that idicates a route to that host and so it tries going >>> via the default. >>> >>> 61.95.94.130 is a router that "knows" 61.95.94.136/29 as well as >>> 61.95.94.128/29 but I cannot figure a way to make that router known as >>> a route to the destination we need to reach. >>> >>> Adding ike esp from 192.168.1.0/24 to 61.95.94.136/29 peer 61.95.94.130 >>> doesn't generate any error message but neither does it add flows and >>> ipsecctl -s f shows the same as without it. >>> >>> route add .... doesn't want to know either. >>> >>> Cluestick? >>> >> >>is isakmpd up? > > Sure is. > :-( >
looks like you're trying to do net-to-net, host-to-net, and host-to-host at the same time. none of the three lines you say you have in ipsec.conf match traffic from 192.168.1/24 to 61.95.94.139/32 i'd start with a simple setup. i'd try just this one line in ipsec.conf ike esp from 192.168.1.0/24 to 61.95.94.136/29 peer 61.95.94.130 and try initiate some traffic from within 192.168.1/24 to 61.95.94.139 to give isakmpd a chance to establish the SAs/add the routes. after that, check the flows. (i trust you have forwarding and esp enabled and pf isn't in the way :) that's my 2c. -- nick
