Mike Lander wrote:
> Which address is specified as the local end of the IPSEC tunnel-mode SP?
>
> -Tom
>
> conn arkonaIPsec
> type = tunnel
> left =66.224.62.118
> leftnexthop= 66.224.62.97
> right = 65.203.186.182
> leftsubnet = 10.194.79.0/255.255.255.0
> rightsubnet = 172.30.0.0/255.255.255.0
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> pfs = yes
> esp = 3DES-MD5
> ike = 3DES-MD5-MODP1024
> ikelifetime = 60m
> rekeyfuzz = 100%
> rekeymargin = 10m
>
> [EMAIL PROTECTED] ~]# ipsec auto status
> ipsec auto: warning: obsolete command syntax used
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 66.224.62.118
> 000 interface eth1/eth1 67.183.187.44
> 000 interface eth3/eth3 10.194.79.1
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
> trans={0,3,336} attrs={0,3,224}
> 000
> 000 "arkonaIPsec":
> 10.194.79.0/24===66.224.62.118---66.224.62.97...65.203.186.182===172.30.0.0/24;
>
> erouted; eroute owner: #5
> 000 "arkonaIPsec": srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "arkonaIPsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 600s; rekey_fuzz: 100%; keyingtries: 0
> 000 "arkonaIPsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: eth0;
> 000 "arkonaIPsec": newest ISAKMP SA: #4; newest IPsec SA: #5;
> 000 "arkonaIPsec": IKE algorithms wanted: 5_000-1-2, flags=strict
> 000 "arkonaIPsec": IKE algorithms found: 5_192-1_128-2,
> 000 "arkonaIPsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 000 "arkonaIPsec": ESP algorithms wanted: 3_000-1, flags=strict
> 000 "arkonaIPsec": ESP algorithms loaded: 3_000-1, flags=strict
> 000 "arkonaIPsec": ESP algorithm newest: 3DES_0-HMAC_MD5;
> pfsgroup=<Phase1>
> 000
> 000 #5: "arkonaIPsec":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 1861s; newest IPSEC; eroute owner
> 000 #5: "arkonaIPsec" [EMAIL PROTECTED] [EMAIL PROTECTED]
> [EMAIL PROTECTED] [EMAIL PROTECTED]
> 000 #4: "arkonaIPsec":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 1110s; newest ISAKMP; lastdpd=58s(seq in:0 out:0)
> 000
> [EMAIL PROTECTED] ~]#
>
>
> This is tunnedl status as we speak
Ok.
You have some cruft in your current configuration.
a) The old routing rules when you has HIGH_ROUTE_MARKS=Yes are still there.
b) There's the following route:
172.30.0.0/24 via 66.224.62.97 dev eth0
If you are going to have that route defined, you should add "src 10.194.79.1"
to it. That way traffic from the firewall to the remote network will go
through the tunnel.
c) There is this routing rule -- what is it for?
1000: from all to 172.30.0.0/24 lookup main
I'd like to see the output of "ip route ls cache" when this is failing. You can
send it to me directly as it won't be of much interest to anyone else.
Thanks,
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
