On Thu, Apr 08, 2010 at 06:10:49AM -0700, Kai Krebber wrote:
> >So, how does your IPsec policy look like ? (the one configured in
> >/etc/inet/ipsecinit.conf or via ipsecconf(1M))
>
>
> {laddr kunde003-lan raddr testssg140} ipsec {encr_algs 3des encr_auth_algs
> sha1 sa shared}
That only secures traffic between the two addresses in transport mode. No
wonder your IKE is failing.
You need something like this to protect the tunnel:
{ tunnel ip.tun0 negotiate tunnel laddr 192.168.111.0/24 10.1.1.0/24 }
ipsec { <algs...> }
Also, you have the router and private flags mixed up. Your tunnel and
internal-network need "router" set, but your on-the-wire interface needs
"private" set. I know it's counterintuitive, but they're hints to
forwarding, not security parameters.
Finally -- do you have a route for 10.1.1.0/24 over your tunnel?
route add 10.1.1.0/24 10.1.1.1
Dan
_______________________________________________
security-discuss mailing list
[email protected]
