On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote:
> Hi,
>
> I tried to reproduce what you want in my testing environment and
> managed to make it work.
>
> What you have to do is :
> - In your ipsec.conf, add an rule from your local network to the
> distant 172.25.0.1 (this rule is needed in order to route the traffic
> to enc0)
Did you need to configure this on both ends? If I add a flow routing
my network to the remote IP the packets never seem to get to enc0;
it looks like isakmpd is stuck trying to negotiate something with
the remove end. From what I can tell I need an SA for packets to
get routed over enc0.
In ipsec.conf I have:
ike active esp from A.B.C.D to 172.25.0.1 peer W.X.Y.Z \
main auth hmac-md5 enc 3des \
quick auth hmac-md5 enc 3des group none \
psk yarg
which lets me ping 172.25.0.1 from A.B.C.D. To route packets to
172.25.0.1 I am using
flow from any to 172.25.0.1 peer W.X.Y.Z
This does create appropriate encap entries in the routing tables,
but I never see anything hit enc0.
