On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote: > Hi, > > I tried to reproduce what you want in my testing environment and > managed to make it work. > > What you have to do is : > - In your ipsec.conf, add an rule from your local network to the > distant 172.25.0.1 (this rule is needed in order to route the traffic > to enc0)
Did you need to configure this on both ends? If I add a flow routing my network to the remote IP the packets never seem to get to enc0; it looks like isakmpd is stuck trying to negotiate something with the remove end. From what I can tell I need an SA for packets to get routed over enc0. In ipsec.conf I have: ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des group none \ psk yarg which lets me ping 172.25.0.1 from A.B.C.D. To route packets to 172.25.0.1 I am using flow from any to 172.25.0.1 peer W.X.Y.Z This does create appropriate encap entries in the routing tables, but I never see anything hit enc0.