Re: [leaf-user] VPN Tunnel up but *no* traffic across connection?

2004-11-12 Thread Charles Steinkuehler 
Timothy J. Massey wrote:
Hello!
I have created a certificate-based tunnel between a Leaf firewall and a 
Windows client using either the Windows 2000 VPN tool 
(http://vpn.ebootis.de/) or SSH Sentinel.  In both cases, the client 
software establishes the connection, and according to Leaf's auth.log, 
the tunnel is 100% established.

However, no traffic seems to come from the Leaf firewall to the Windows 
client.  There are no entries in shorewall.log, or any other log entry.  
From the Windows computer, when I ping or browse a computer behind the 
Leaf side of the VPN, it times out.  The external interface of the Leaf 
box blinks, but the internal one does not.  If I ping from a (Windows) 
client on the Leaf side to the Windows client, I get a response:  
Response from 10.154.19.254:  Port not available (or something like 
that:  I'll try to get it back again).  The external interface does not 
blink.

It seems that the tunnel is up, but something is not routing properly.  
Where can I look?  There's *nothing* in any entry in any log in /var/log 
at all, especially shorewall.log: it's 0 bytes.
The problem you describe can be caused if the keying traffic (UDP port 500) 
is allowed, but the encrypted data (ESP/Protocol 50 or AH/Protocol 51) is 
being blocked.

Make sure you have an entry in /etc/shorewall/tunnels for your IPSec 
connection, and make sure your ISP isn't dropping the encrypted traffic 
(smarter ISP's do this to prevent VPN software from working at home unless 
you pay for SOHO class access).

If your ISP is blocking the encrypted traffic, using NAT-traversal (which 
tunnels the encrypted data across UDP port 500) should solve the problem, 
but I'd suspect firewall rules first.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] VPN Tunnel up but *no* traffic across connection?

2004-11-12 Thread Peter Mueller 
 left=68.208.33.25
 leftsubnet=10.154.16.0/22

 rightsubnet=10.154.16.0/255.255.252.0

(If I'm reading this correctly..)
In left's view, 10.154.16.0/.252 is owned by left.  Ipsec routes get a lower
route priority than local interface routes.  Therefore, traffic won't bother
to traverse over IPSec.  Try changing the subnet range to something
different.

If this isn't the case, please post a simplified ascii map.

Regards,

P


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html