I set up an ipsec/racoon vpn tunnel test environment. The gateway machines are 192.168.0.30 and 192.168.0.31 on the external adaptor and 10.0.1.1 and 10.0.2.1 internally. The test workstations are 10.0.1.10 and 10.0.2.10. The tunnel seems to be working as in 10.0.1.10 can talk to 10.0.2.10 an vice versa and they can both use the net via NAT, however 192.168.0.30 and 192.168.0.31 cannot directly talk and neither workstation can directly talk to those 2 IP addresses either. I carefully read through http://shorewall.net/IPSEC.htm to get it working to the extent that it is. I am not sure if the fix lies in the ipsec/racoon configs or shorewall but I have pretty much run out of ideas. Thanks
Johnathan wrote on 22/09/2004 16:04:26:> I set up an ipsec/racoon vpn tunnel test environment. [...] > > [...] however 192.168.0.30 and > 192.168.0.31 cannot directly talk and neither workstation can directlytalk> to those 2 IP addresses either.back in the freeswan times, IIRC, you could not talk with any of the tunnels endpoints when using an IPSEC vpn tunnel. That was one of the reasons I jumped to openvpn at that time. I don''t know if this is still a problem though. cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Wednesday 22 September 2004 12:04, Jonathan Schneider wrote:> I set up an ipsec/racoon vpn tunnel test environment. The gateway machines > are 192.168.0.30 and 192.168.0.31 on the external adaptor and 10.0.1.1 and > 10.0.2.1 internally. The test workstations are 10.0.1.10 and 10.0.2.10. > > The tunnel seems to be working as in 10.0.1.10 can talk to 10.0.2.10 an > vice versa and they can both use the net via NAT, however 192.168.0.30 and > 192.168.0.31 cannot directly talk and neither workstation can directly talk > to those 2 IP addresses either. I carefully read through > http://shorewall.net/IPSEC.htm to get it working to the extent that it is. > I am not sure if the fix lies in the ipsec/racoon configs or shorewall but > I have pretty much run out of ideas.If you "shorewall clear", does it work? If not, it is an ipsec/racoon issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I would agree to Tom''s request to check if you can get it working with IPTables empty (ALLOW ALL). What you try to do would need 6 rules for setkey and 3 sainfo entries in racoon.conf (this is if you don''t have a valid sainfo anonymous active). If you should have less you need to verify. In any case some log file info would be helpful to see if there are any drops for UDP 500 or ESP. Regards, Axel Westerhold Technical Lead Congos Inc. Axel@congos-tools.com Tel.: 0049 5732 688040 Jonathan Schneider wrote:> I set up an ipsec/racoon vpn tunnel test environment. The gateway machines > are 192.168.0.30 and 192.168.0.31 on the external adaptor and 10.0.1.1 and > 10.0.2.1 internally. The test workstations are 10.0.1.10 and 10.0.2.10. > > The tunnel seems to be working as in 10.0.1.10 can talk to 10.0.2.10 an vice > versa and they can both use the net via NAT, however 192.168.0.30 and > 192.168.0.31 cannot directly talk and neither workstation can directly talk > to those 2 IP addresses either. I carefully read through > http://shorewall.net/IPSEC.htm to get it working to the extent that it is. > I am not sure if the fix lies in the ipsec/racoon configs or shorewall but I > have pretty much run out of ideas. > > Thanks > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm