Hi all.
Here is my scenario to configure a subnet-subnet vpn with SuperFreeswan-1.99
(Nat Traversal patch):
left subnet 192.168.2.0/24
|
|
--- -------|--192.168.2.1------
| shorewall linux gw/freeswan |
| with masquerade |
-----------|---10.0.0.2---------
|
| 10.0.0.1
----------------------------
| ADSL NAT Router |
----------------------------
|
a.b.c.d
|
|
~ INTERNET ~
|
|
k.x.y.z
|
----------------------------
| ADSL NAT Router |
----------------------------
| 10.10.10.1
|
--- -------|--10.10.10.2--------
| shorewall linux gw/freeswan |
| with masquerade |
-----------|--192.168.3.1------
|
right subnet 192.168.3.0/24
I''m using Nat traversal patch of freeswan because the routers they do
not
allow the ipsec protocol.
The tunnel go up but ''ipsec verify'' show:
..........
Does the machine have at least one non-private address [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADING
tun0x1002@xxx.xxx.xxx.xxx [FAILED]
eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.1.0/24 ->
192.168.0.0/24
and i am not able to ping any host from the left subnet to the right and
viceversa.
With ''tcpdump -i ipsec0'' i see the packets (echo request,
netbios-ns ans
others..) on both gw
Please, help me to make my vpn.
Thanks in advance,
Enzo
I hope someone else on the list will respond to this post -- I''ve tried a couple of times but each time, my blood pressure rose to life-threatening levels. Enzo -- if no one else responds, I recommend that you review http://www.shorewall.net/support.htm -- it provides guidelines for how to get help on this list. -Tom --On Sunday, February 02, 2003 12:57 AM +0100 enzo bontempo <enzo@bontempo.it> wrote:> Hi all. > Here is my scenario to configure a subnet-subnet vpn with > SuperFreeswan-1.99 (Nat Traversal patch): > > left subnet 192.168.2.0/24 > | > | > --- -------|--192.168.2.1------ >| shorewall linux gw/freeswan | >| with masquerade | > -----------|---10.0.0.2--------- > | > | 10.0.0.1 > ---------------------------- >| ADSL NAT Router | > ---------------------------- > | > a.b.c.d > | > | > ~ INTERNET ~ > | > | > k.x.y.z > | > ---------------------------- >| ADSL NAT Router | > ---------------------------- > | 10.10.10.1 > | > --- -------|--10.10.10.2-------- >| shorewall linux gw/freeswan | >| with masquerade | > -----------|--192.168.3.1------ > | > right subnet 192.168.3.0/24 > > I''m using Nat traversal patch of freeswan because the routers they do not > allow the ipsec protocol. > The tunnel go up but ''ipsec verify'' show: > .......... > Does the machine have at least one non-private address [OK] > Two or more interfaces found, checking IP forwarding [OK] > Checking NAT and MASQUERADING > tun0x1002@xxx.xxx.xxx.xxx [FAILED] > eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.1.0/24 -> > 192.168.0.0/24 > > and i am not able to ping any host from the left subnet to the right and > viceversa. > > With ''tcpdump -i ipsec0'' i see the packets (echo request, netbios-ns ans > others..) on both gw > > > Please, help me to make my vpn. > > Thanks in advance, > > Enzo > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users-- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
enzo bontempo schrieb:> > Hi all. > Here is my scenario to configure a subnet-subnet vpn with SuperFreeswan-1.99 > (Nat Traversal patch): > > left subnet 192.168.2.0/24 > | > | > --- -------|--192.168.2.1------ > | shorewall linux gw/freeswan | > | with masquerade | > -----------|---10.0.0.2--------- > | > | 10.0.0.1 > ---------------------------- > | ADSL NAT Router | > ---------------------------- > | > a.b.c.d > | > | > ~ INTERNET ~ > | > | > k.x.y.z > | > ---------------------------- > | ADSL NAT Router | > ---------------------------- > | 10.10.10.1 > | > --- -------|--10.10.10.2-------- > | shorewall linux gw/freeswan | > | with masquerade | > -----------|--192.168.3.1------ > | > right subnet 192.168.3.0/24 > > I''m using Nat traversal patch of freeswan because the routers they do not > allow the ipsec protocol.You may want to try OpenVPN as an easy VPN solution. Shorewall support is in CVS now. Simon> The tunnel go up but ''ipsec verify'' show: > .......... > Does the machine have at least one non-private address [OK] > Two or more interfaces found, checking IP forwarding [OK] > Checking NAT and MASQUERADING > tun0x1002@xxx.xxx.xxx.xxx [FAILED] > eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.1.0/24 -> > 192.168.0.0/24 > > and i am not able to ping any host from the left subnet to the right and > viceversa. > > With ''tcpdump -i ipsec0'' i see the packets (echo request, netbios-ns ans > others..) on both gw > > Please, help me to make my vpn. > > Thanks in advance, > > Enzo > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users
Enzo,
I''m no VPN expert, but I can tell from this post that you''ve
failed to
supply us with enough information to assist you properly.
Please read the Shorewall Support page for the minimum information
we''ll
need to troubleshoot your problem.
Support -- Before Reporting a Problem
http://www.shorewall.net/support.htm
In addition you may find these pages useful.
VPN
http://www.shorewall.net/VPN.htm
Shorewall IPSec Tunneling/
http://www.shorewall.net/IPSEC.htm
Linux FreeS/WAN Troubleshooting Guide (for 1.99)
http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/trouble.html
On Sat, 2003-02-01 at 15:57, enzo bontempo wrote:> Hi all.
> Here is my scenario to configure a subnet-subnet vpn with
SuperFreeswan-1.99
> (Nat Traversal patch):
>
> left subnet 192.168.2.0/24
> |
> |
> --- -------|--192.168.2.1------
> | shorewall linux gw/freeswan |
> | with masquerade |
> -----------|---10.0.0.2---------
> |
> | 10.0.0.1
> ----------------------------
> | ADSL NAT Router |
> ----------------------------
> |
> a.b.c.d
> |
> |
> ~ INTERNET ~
> |
> |
> k.x.y.z
> |
> ----------------------------
> | ADSL NAT Router |
> ----------------------------
> | 10.10.10.1
> |
> --- -------|--10.10.10.2--------
> | shorewall linux gw/freeswan |
> | with masquerade |
> -----------|--192.168.3.1------
> |
> right subnet 192.168.3.0/24
>
> I''m using Nat traversal patch of freeswan because the routers they
do not
> allow the ipsec protocol.
> The tunnel go up but ''ipsec verify'' show:
> ..........
> Does the machine have at least one non-private address [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADING
> tun0x1002@xxx.xxx.xxx.xxx [FAILED]
> eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.1.0/24 ->
> 192.168.0.0/24
>
> and i am not able to ping any host from the left subnet to the right and
> viceversa.
>
> With ''tcpdump -i ipsec0'' i see the packets (echo
request, netbios-ns ans
> others..) on both gw
>
>
> Please, help me to make my vpn.
--
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
> On Sat, 2003-02-01 at 15:57, enzo bontempo wrote: > > Hi all. > > Here is my scenario to configure a subnet-subnet vpn with SuperFreeswan-1.99 > > (Nat Traversal patch): > > > > left subnet 192.168.2.0/24 > > | > > | > > --- -------|--192.168.2.1------ > > | shorewall linux gw/freeswan | > > | with masquerade | > > -----------|---10.0.0.2--------- > > | > > | 10.0.0.1 > > ---------------------------- > > | ADSL NAT Router | > > ---------------------------- > > | > > a.b.c.d > > | > > | > > ~ INTERNET ~ > > | > > | > > k.x.y.z > > | > > ---------------------------- > > | ADSL NAT Router | > > ---------------------------- > > | 10.10.10.1 > > | > > --- -------|--10.10.10.2-------- > > | shorewall linux gw/freeswan | > > | with masquerade | > > -----------|--192.168.3.1------ > > | > > right subnet 192.168.3.0/24When creating ASCII diagrams, please ensure you are using a fixed-pitch font (one where all characters are the same width, e.g. Courier). Using variable-width font simply means that the diagram will line up only on computers with *identical* display settings to yours. On any other configuration (like anything used by the vast majority of mailing list recipients) the diagram just looks a mess. Naturally, this means that if you expect to view ASCII diagrams, you should set a fixed-pitch font also. -- \ "Hey Homer! You''re late for English!" "Pff! English, who needs | `\ that? I''m never going to England!" -- Barney & Homer, _The | _o__) Simpsons_ | bignose@zip.com.au F''print 9CFE12B0 791A4267 887F520C B7AC2E51 BD41714B