<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.1">
</HEAD>
<BODY>
On Thu, 2007-12-06 at 16:29 -0500, Peter McGill wrote:<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Off hand I don't see the problem in your conf or logs here.</FONT>
</PRE>
</BLOCKQUOTE>
<BR>
We managed to get the VPN up. At the suggestion of the other party, we tried to make it a subnet VPN instead of host-to-host. Here is my updated /etc/ipsec.d/partner.conf file:<BR>
<BR>
conn partner<BR>
auto=add<BR>
authby=secret<BR>
compress=no<BR>
ike=aes256-sha1-modp1024<BR>
esp=aes256-sha1<BR>
pfs=yes<BR>
left=xxx.xxx.205.212<BR>
leftsubnet=192.168.3.2/32<BR>
right=xxx.xxx.94.73<BR>
rightsubnet=xxx.xxx.220.100/32<BR>
<BR>
This worked. <BR>
<BR>
117 "partner" #3: STATE_QUICK_I1: initiate<BR>
003 "partner" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<BR>
004 "partner" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7f9d974c <0x9fb4d162 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}<BR>
<BR>
Now the problem I have is that I can not actually send any packets through. If I try to "telnet xxx.xxx.220.100" it will reply either that their is no route to the host, or it will just sit there trying to connect, and she can not see anything come through at her end of the tunnel.<BR>
<BR>
I tried adding "leftsourceip=192.168.3.2" and "rightsourceip="xxx.xxx.220.100" after re-reading the Packt Publishing book this weekend, but I don't think that's my problem.<BR>
<BR>
I'm not sure if it is just a routing issue, or something else. I'm leaning towards one of two things, and I was hoping you might tell me what you think. I might be over-complicating things and may just need to focus on routing for all I know!<BR>
<BR>
The first. I saw in her netscreen setup the following statement: <BR>
set vpn "mlavalle" gateway "mlavalle" no-replay tunnel idletime 0 proposal "mlavalle"<BR>
<BR>
The no-replay caught my eye, because my box shows a "replay-window 32" when I run "ip xfrm state". However, I can't seem to find any way of changing that. <BR>
<BR>
The second thing is, the book and some comments I've seen in this mailing list's history seem to indicate that KLIPS is better than NETKEY, and I am pretty sure my Fedora 6 box is using NETKEY. So, I could either upgrade from Fedora 6 to Fedora 8 and see if there is a bug that worked itself out, or I could figure out how to recompile the kernel with KLIPS instead of NETKEY.<BR>
<BR>
</BODY>
</HTML>