hi
I have a big problem with freeswan gateway
on linux SuSE 8.2, connected via ipsec tunnel
to watchguard firewall.
There are 2 interfaces on the linux gateway:
external eth0 with internet IP (212.X.X.X) and
internal eth1 with internal IP (192.168.115.1)
my ipsec.conf :
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
forwardcontrol=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
#compress=yes
#leftrsasigkey=%dnsondemand
#rightrsasigkey=%dnsondemand
conn roadwarrior
left=%any
conn me-to-anyone
#left=%defaultroute
#right=%opportunistic
#keylife=1h
#rekey=no
# for initiator only OE,
# after putting your key
#leftid=@myhostname.example.com
# uncomment this next line to enable it
# auto=route
conn Firebox1
left=195.X.X.X
leftnexthop=%defaultroute
leftsubnet=192.168.0.0/24
right=212.X.X.X
rightnexthop=%defaultroute
rightsubnet=192.168.115.0/24
leftupdown=/usr/lib/ipsec/_updown_custom
auto=start
The ipsec tunnel is working:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
212.X.X.X * 255.255.255.240 U 0 0 0 eth0
212.X.X.X * 255.255.255.240 U 0 0 0 ipsec0
192.168.0.0 gw.xxx.net 255.255.255.0 UG 0 0 0 ipsec0
192.168.115.0 * 255.255.255.0 U 0 0 0 eth1
default gw.xxx.net 0.0.0.0 UG 0 0 0 eth0
# ipsec verify
Checking your system to see if IPsec was installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
DNS checks.
Looking for forward key for ext [FAILED]
Looking for TXT in reverse map: X.X.X.212.in-addr.arpa [OK]
Does the machine have at least one non-private address [OK]
the problem is, I can ping from every remote machine my linux gateway,
but cannot ping from linux gateway any remote machine.
firewall is not active at the linux gateway.
ports ANY to ANY and ping are allowed
at watchgurd configuration for linux.
from any other machine on gateway side I can ping remote
machines but NOT from the gateway.
what's wrong ?
kind regards
anonimous
I have a big problem with freeswan gateway
on linux SuSE 8.2, connected via ipsec tunnel
to watchguard firewall.
There are 2 interfaces on the linux gateway:
external eth0 with internet IP (212.X.X.X) and
internal eth1 with internal IP (192.168.115.1)
my ipsec.conf :
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
forwardcontrol=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
#compress=yes
#leftrsasigkey=%dnsondemand
#rightrsasigkey=%dnsondemand
conn roadwarrior
left=%any
conn me-to-anyone
#left=%defaultroute
#right=%opportunistic
#keylife=1h
#rekey=no
# for initiator only OE,
# after putting your key
#leftid=@myhostname.example.com
# uncomment this next line to enable it
# auto=route
conn Firebox1
left=195.X.X.X
leftnexthop=%defaultroute
leftsubnet=192.168.0.0/24
right=212.X.X.X
rightnexthop=%defaultroute
rightsubnet=192.168.115.0/24
leftupdown=/usr/lib/ipsec/_updown_custom
auto=start
The ipsec tunnel is working:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
212.X.X.X * 255.255.255.240 U 0 0 0 eth0
212.X.X.X * 255.255.255.240 U 0 0 0 ipsec0
192.168.0.0 gw.xxx.net 255.255.255.0 UG 0 0 0 ipsec0
192.168.115.0 * 255.255.255.0 U 0 0 0 eth1
default gw.xxx.net 0.0.0.0 UG 0 0 0 eth0
# ipsec verify
Checking your system to see if IPsec was installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
DNS checks.
Looking for forward key for ext [FAILED]
Looking for TXT in reverse map: X.X.X.212.in-addr.arpa [OK]
Does the machine have at least one non-private address [OK]
the problem is, I can ping from every remote machine my linux gateway,
but cannot ping from linux gateway any remote machine.
firewall is not active at the linux gateway.
ports ANY to ANY and ping are allowed
at watchgurd configuration for linux.
from any other machine on gateway side I can ping remote
machines but NOT from the gateway.
what's wrong ?
kind regards
anonimous