Hello friends,<br><br>I am sorry as the image is not as it was mailed. I am again giving all the perfect sketch diagram that very well explains networking b/w the Machines.<br><br><a href="http://img87.imageshack.us/img87/6231/ipseccz7.jpg">
http://img87.imageshack.us/img87/6231/ipseccz7.jpg</a> <br><br>Please let me know where i can use type=Transport ?<br><br>Thank You.<br>Ankur.<br><div><span class="gmail_quote">On 11/9/06, <b class="gmail_sendername">conn intel
</b> <<a href="mailto:connintel@gmail.com">connintel@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello Friends,
<br><br><br>CLIENT behind
G/W
IPSEC
GATEWAY
IPSEC HOST<br>|-------------------|
|----------------|
|--------------|<br>|
|---------------------|
|---------------------| |
<br>|
A |
| B
|
| C
| <br>|-------------------|
|----------------|
|--------------|
<br> <font style="background-color: rgb(153, 255, 255);">eth0</font> <font style="background-color: rgb(153, 255, 153);">eth0 eth1</font> <font style="background-color: rgb(255, 204, 153);">
eth0<br></font> <br> <a href="http://192.168.1.5" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.1.5</a> <a href="http://192.168.1.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font>
192.168.1.1</a> <a href="http://10.10.100.25" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.10.100.25</a> <a href="http://10.10.100.88" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font>
10.10.100.88</a><br><br><br><font size="2">
</font><p><font size="2">I am using IPSEC KLIPS 2.6 with NAT support on Gateway B and Host C,
Client A is the normal host behind the Gateway B.. I am using
type=transport in the ipsec.conf files for both the Gateway B and Host
C.</font></p>
<p><font size="2">In the intial stage the tunnel is not getting up from Gateway B to HOST C, thus not able to ping from A to C.</font></p>
<p><font size="2">But I can successfully ping from Host C to Client A and then trying
again getting successfull ping response from Client A to Host C which is not there before.<br>
</font></p>
<p><font size="2">If I want to use transport mode where i can use that either on GATEWAY B or on HOST C or on both ?<br>
</font></p>
<p><font size="2">THank You.<br>
</font></p>
<p><font size="2">Ankur.<br>
</font></p>
<p><span style="background-color: rgb(255, 255, 51);"><font size="2">BEFORE TRYING PING FROM C TO A ::</font></span><font size="2"><br>
</font></p>
<p><font size="2">OUTPUT ON GATEWAY B :: Ipsec auto --status <br>
</font></p>
<p><font size="2">000 "netone": <a href="http://192.0.0.0/8===10.10.100.25...10.10.100.88---10.10.100.88" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.0.0.0/8===10.10.100.25...10.10.100.88---10.10.100.88
</a>; erouted HOLD; eroute owner: #0<br>
000 "netone": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>
000 "netone": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "netone": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+UP+failurePASS; prio: 8,32; interface: eth1;<br>
000 "netone": newest ISAKMP SA: #1; newest IPsec SA: #0;<br>
000 "netone": IKE algorithms wanted: 3_000-1-5, 3_000-1-2, flags=strict<br>
000 "netone": IKE algorithms found: 3_128-1_128-5, 3_128-1_128-2,<br>
000 "netone": IKE algorithm newest: BLOWFISH_CBC_128-MD5-MODP1536<br>
000 "netone": ESP algorithms wanted: 3_000-1, flags=strict<br>
000 "netone": ESP algorithms loaded: 3_000-1, flags=strict<br>
000<br>
000 #4: "netone":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 2s; lastdpd=-1s(seq in:0 out:0)<br>
000 #3: "netone":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; lastdpd=-1s(seq in:0 out:0)<br>
000 #1: "netone":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2973s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<br>
</font></p>
<p>
</p>
<p><br>
<span style="background-color: rgb(255, 255, 51);">AFTER TRYING PING FROM C TO A ::</span><br>
</p>
<p>OUTPUT ON GATEWAY B :: Ipsec auto --status </p>
<font size="2">
</font><p><font size="2">000 "netone": <a href="http://192.0.0.0/8===10.10.100.25...10.10.100.88---10.10.100.88" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.0.0.0/8===10.10.100.25...10.10.100.88---10.10.100.88
</a>; erouted; eroute owner: #5<br>
000 "netone": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>
000 "netone": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "netone": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+UP+failurePASS; prio: 8,32; interface: eth1;<br>
000 "netone": newest ISAKMP SA: #1; newest IPsec SA: #5;<br>
000 "netone": IKE algorithms wanted: 3_000-1-5, 3_000-1-2, flags=strict<br>
000 "netone": IKE algorithms found: 3_128-1_128-5, 3_128-1_128-2,<br>
000 "netone": IKE algorithm newest: BLOWFISH_CBC_128-MD5-MODP1536<br>
000 "netone": ESP algorithms wanted: 3_000-1, flags=strict<br>
000 "netone": ESP algorithms loaded: 3_000-1, flags=strict<br>
000 "netone": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A><br>
000<br>
000 #5: "netone":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3324s; newest IPSEC; eroute owner<br>
000 #5: "netone" <a href="mailto:esp.9db7fa8@10.10.100.88" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.9db7fa8@10.10.100.88</a> <a href="mailto:esp.6c5ef14f@10.10.100.25" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
esp.6c5ef14f@10.10.100.25</a> <a href="mailto:tun.1002@10.10.100.88" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tun.1002@10.10.100.88
</a> <a href="mailto:tun.1001@10.10.100.25" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tun.1001@10.10.100.25</a><br>
000 #4: "netone":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 24s; lastdpd=-1s(seq in:0 out:0)<br>
000 #3: "netone":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0)<br>
000 #1: "netone":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2935s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<br>
000<br>
</font></p>
<p><font size="2"><br>
b) I have used type=transport then also why in the above message it shows <font><font size="2"> policy: PSK+ENCRYPT+COMPRESS+<span style="background-color: rgb(255, 255, 204);">TUNNEL</span>+UP+failurePASS instead of <span style="background-color: rgb(255, 255, 204);">
TRANSPORT</span><br>
</font></font></font></p>
</blockquote></div><br>