Raphael Astier <[EMAIL PROTECTED]> wrote: > > On GW1 : > #setkey -f > flush; > spdflush; > add 192.168.1.1 192.168.1.2 esp 1000 -m tunnel -E des-cbc "12345678"; > spdadd 10.0.0.0/24 11.0.0.0/24 any -P out ipsec > esp/tunnel/192.168.1.1-192.168.1.2/require; > > On GW2 : (only need to have SPI to decrypt packets coming from GW1) > #!/usr/local/sbin/setkey -f > flush; > spdflush; > add -n 192.168.1.1 192.168.1.2 esp 1000 -m tunnel -E des-cbc "12345678";
This can't possibly work since inbound policies are required for tunnel-mode SAs (otherwise people can send packets with arbitrary source addresses once they have a tunnel-mode SA with you). So you need at least 1 more policy on GW1 and 2 policies on GW2 for this to have a chance of working. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
