[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipsec
Subject: [Users] Strange Routing Behavior
From: rmcclurg () csc ! com
Date: 2001-10-31 14:44:57
[Download RAW message or body]
I have been doing testing with two LRP Eigerstein SGs. I am using FreeSwan
1.5 and Linux 2.2.16. Tunnel traffic from one internal network to the other
works just fine. The problem is that I wish to monitor one gateway from the
protected network of the other. I understand that I should not be able to
route traffic from a gateway to a tunneled network without either an eroute
to or a separate tunnel from one gateway to the internal network of the
other. Herein lies my problem.
If I am on either gateway I can not ping the other gateway nor the network
it protects. This is as I expect. I can however ping from the protected
networks to the gateways. I can also query the SG with my web browser. The
packets traverse the tunnel with no problem. Here is my first question. How
can packets route from a to b, but not from b to a when the firewall rules
allow unrestricted traffic between the internal networks (which include the
internal SG addresses)?
The next problem has me vexed. If I try to do an snmpwalk from inside the
protected net to the same gateway, which happily sends me ICMP and www
traffic, the packets are dropped by the SG on ipsec0. OK so it is doing
what it should. So I tried establishing a tunnel from SG1 to the protected
net of SG2. I get exactly the same results. So I go back to the first
tunnel and add an eroute. Still the same result. I can never originate
traffic from the SG to the protected net of the other SG. Nor do SNMP from
the protected net to the other SG. My thinking is that they may be one and
the same problem. Since SNMP is UDP and therefore "connectionless". So my
question to the geniuses on this list is, what do I have to do to make this
work?
One last thing. The config below works with each conn separately, but
neither work if both are used simultaneously. Why?
Thanks for your time.
Roger
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
manualstart forwardcontrol=no
#
# this is the net to net config
#
conn chewienet-bitsynet
left2.153.61.62
leftsubnet2.153.64.0/24
leftfirewall=yes
right2.153.61.61
rightsubnet .6.89.0/24
rightfirewall=yes
auto=start
keyexchange=ike
auth=esp
type=tunnel
authby=secret
keyingtries= 1
keylife=8h
pfs=yes
#
# this is the net to net config
#
conn chewie-bitsynet
left2.153.61.62
#this is the internal address of the Left SG
leftsubnet2.153.64.254/32
leftfirewall=yes
right2.153.61.61
rightsubnet .6.89.0/24
rightfirewall=yes
auto=start
keyexchange=ike
auth=esp
type=tunnel
authby=secret
keyingtries= 1
keylife=8h
pfs=yes
_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic