On 9/8/06, Patrick McHardy <[EMAIL PROTECTED]> wrote:
Gnome42 Gnome42 wrote:
Can you see the decrypted packets on the incoming interface on the
other side?
No, not the decrypted ones only the encrypted ones. I never see the
decrypted packets. ( I should see them twice right? Once encrypted and
once decrypted?)
Please post your policies and related SAs from both sides.
Are you using NAT, iptables or anything like that?
(Beware, I am not knowledgeable about IPSec :)
I am testing this between my workstation and my linux/firewall/nat box
with adsl. So encrypted on my local lan only.
The firewall box is using iptables and is natting for me but the ipsec
traffic is just local and is not natted. I am testing roadwarrior
mode, with the firewall as the responder. No iptables/NAT on my
workstation. I have allowed protocols 50/51 and udp 500 and it works
well with other kernels including 2.6.18-rc5, so I think the iptables
stuff is OK.
On my workstation(34.34.36.1) I use:
spdadd 34.34.36.1 206.207.0.0/16 any -P out ipsec
esp/tunnel/34.34.36.1-34.34.36.6/use;
spdadd 206.207.0.0/16 34.34.36.1 any -P in ipsec
esp/tunnel/34.34.36.6-34.34.36.1/use;
and on the firewall:
remote anonymous {
exchange_mode aggressive,main;
passive on;
my_identifier fqdn "blah1";
peers_identifier fqdn "blah2";
verify_identifier on;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy on;
}
sainfo anonymous {
pfs_group modp1024;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
... or did you mean dumps from setkey -D[P]?
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
