Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 03 > 102583.html (Request Expert lists.freeswan.org Support)

[Users] Network ist not direct connected to IPSEC GW

From: Bernhard 'Gustl' Bauer <gustl(at)quantec.de>
Date: Thu Oct 02 2003 - 06:48:08 EDT


Hello,

I'm trying to get a similar connection as described in http://www.freeswan.org/freeswan_trees/freeswan-2.02/doc/adv_config.html#adv_config

My network looks like this: 

        netA---gwA---gwB

                   |----netB

		   |

                   |----netC

It means gwB has only one physical IF (eth0). netB ist connect via a virtual IF eth0:1 This (test) works fine. netC is not directly connected to gwB but can be reached via it default route. This (gustl1) one wouldn't work.

gwA's ipsec.conf:
conn test 

        left=194.9.119.76
        leftnexthop=194.9.119.73
        leftsubnet=213.179.211.0/30
        leftrsasigkey=0sAQ....
        right=%any
        rightsubnet=213.179.211.4/30
        rightid=@gw4.test.netz
        rightrsasigkey=0sAQ...
        auto=add

conn gustl1
        left=194.9.119.76
        leftnexthop=194.9.119.73
        leftsubnet=192.168.111.0/24
        leftrsasigkey=0sAQ...
        right=%any
        rightsubnet=213.179.211.4/30
        rightid=@gw4.test.netz
        rightrsasigkey=0sAQ..
        auto=add

gwB's ipsec.conf:
conn test 

        left=194.9.119.76
        leftnexthop=194.9.119.73
        leftsubnet=213.179.211.0/30
        leftrsasigkey=0sAQO...
        right=%defaultroute
        rightsubnet=213.179.211.4/30
        rightid=@gw4.test.netz
        rightrsasigkey=0sAQ..
        auto=start

conn gustl1
        left=194.9.119.76
        leftnexthop=194.9.119.73
        leftsubnet=192.168.111.0/24
        leftrsasigkey=0sAQO...
        right=%defaultroute
        rightsubnet=213.179.211.4/30
        rightid=@gw4.test.netz
        rightrsasigkey=0sAQ....
        auto=start

If I start both ipsecs I find 2 disturbing lines in /var/log/message of gwB:
Oct 2 12:30:17 dsl ipsec__plutorun: 104 "gustl1" #1: STATE_MAIN_I1: initiate Oct 2 12:30:17 dsl ipsec__plutorun: ...could not start conn "gustl1"

But der is no info in /var/log/secure why: 

Oct  2 12:30:12 dsl ipsec__plutorun: Starting Pluto subsystem...
Oct  2 12:30:12 dsl pluto[6510]: Starting Pluto (FreeS/WAN Version 2.02 PLUTO_USES_KEYRR)
Oct  2 12:30:15 dsl pluto[6510]: added connection description "gustl1"
Oct  2 12:30:16 dsl pluto[6510]: added connection description "test"
Oct  2 12:30:16 dsl pluto[6510]: listening for IKE messages
Oct  2 12:30:16 dsl pluto[6510]: adding interface ipsec0/ppp0 217.232.138.251
Oct  2 12:30:16 dsl pluto[6510]: loading secrets from "/etc/ipsec.secrets"
Oct  2 12:30:17 dsl pluto[6510]: "gustl1" #1: initiating Main Mode
Oct  2 12:30:19 dsl pluto[6510]: "gustl1" #1: ISAKMP SA established
Oct  2 12:30:19 dsl pluto[6510]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP

Do you need more help?X

Oct  2 12:30:19 dsl pluto[6510]: "gustl1" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
Oct  2 12:30:20 dsl pluto[6510]: "test" #2: sent QI2, IPsec SA established
Oct  2 12:30:20 dsl pluto[6510]: "gustl1" #3: sent QI2, IPsec SA established
Do you need help?X

If I set a ping from netA to netB it works. A ping from netA to netC won't work. I can trace the ping up to ipsec0 on gwB. The ping should go out on eth0 on gwB, but it doesn't. gwB can reach netC via it's default GW. I can ping netC from gwB.

Any idea what's wrong?

TIA gustl


FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Thu Oct 2 07:01:11 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:39 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library