<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:10pt; font-weight:400; font-style:normal;">Hi again<br /><br>
As i told in previous message, i am trying to establish a L2L ipsec tunnel between a linux firewall and a cisco firewall, <br>
<span style=" font-family:'dejavu sans';">using nated ipsec with pre-shared key. After some study and testing i manage to establish the ipesec link between both sites. The situation is the following:</span><br>
<span style=" font-family:'dejavu sans';">a) I have looked with tcpdump to my public interface and the tunnel looks fine with regular keep-alive messages betten the 2 sites.</span><br>
<span style=" font-family:'dejavu sans';">b) I try to ping a host on the BLan, but when tcpdump the external interface i still see regular icmp packets with no tunneling!</span><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-family:'dejavu sans';"><br></p><span style=" font-family:'dejavu sans';">My question is: Because that type of configuration doesn't create a thing like an ipsec0 device, how to assure the traffic is directed to ipsec tunnel?</span><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-family:'dejavu sans';"><br></p>The configuration is the following:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><span style=" font-family:'dejavu sans mono';"> myLan myFw internet BFw BLan<br />10.11.0.0/16 ---10.11.0.5/mypublicIP <<<<<<->>>>>> BpublicIP/??.??.??.?? --- 192.168.0.0/24 </span><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-family:'dejavu sans mono';"><br></p><span style=" font-family:'dejavu sans';">myFw - openswan 2.6.21 using setkey on mandriva linux kernel 2.6.29.1</span><br>
BFw - cisco AXA<br /><br>
<span style=" font-family:'dejavu sans';">------------------------------------------------------------</span><br>
<span style=" font-family:'dejavu sans';"># /etc/openswan/ipsec.conf - Openswan IPsec configuration file</span><br>
<span style=" font-family:'dejavu sans';">version 2.0 # conforms to second version of ipsec.conf specification</span><br>
<span style=" font-family:'dejavu sans';">config setup</span><br>
<span style=" font-family:'dejavu sans';"> nat_traversal=yes</span><br>
<span style=" font-family:'dejavu sans';"> OE=off</span><br>
<span style=" font-family:'dejavu sans';"> protostack=netkey</span><br>
<span style=" font-family:'dejavu sans';"> interfaces=%defaultroute</span><br>
<span style=" font-family:'dejavu sans';"> uniqueids=yes</span><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-family:'dejavu sans';"><br></p><span style=" font-family:'dejavu sans';">conn ttt</span><br>
<span style=" font-family:'dejavu sans';"> authby= secret</span><br>
<span style=" font-family:'dejavu sans';"> pfs= yes</span><br>
<span style=" font-family:'dejavu sans';"> auto= start</span><br>
<span style=" font-family:'dejavu sans';"> keyexchange=ike</span><br>
<span style=" font-family:'dejavu sans';"> ike=3des-sha1-modp1024</span><br>
<span style=" font-family:'dejavu sans';"> type=tunnel</span><br>
<span style=" font-family:'dejavu sans';"> auth=esp</span><br>
<span style=" font-family:'dejavu sans';"> esp=3des-sha1</span><br>
<span style=" font-family:'dejavu sans';"> compress=no</span><br>
<span style=" font-family:'dejavu sans';"> left=mypublicIP</span><br>
<span style=" font-family:'dejavu sans';"> leftsubnet= 10.11.0.0/16</span><br>
<span style=" font-family:'dejavu sans';"> #leftnexthop= %defaultroute</span><br>
<span style=" font-family:'dejavu sans';"> leftnexthop=BpublicIP</span><br>
<span style=" font-family:'dejavu sans';"> right=</span><span style=" font-family:'dejavu sans';">BpublicIP</span><br>
<span style=" font-family:'dejavu sans';"> rightsubnet=192.168.0.0/24</span><br>
<span style=" font-family:'dejavu sans';"> rightnexthop=</span><span style=" font-family:'dejavu sans';">mypublicIP</span><br>
<span style=" font-family:'dejavu sans';">------------------------------------------------------------</span><br>
<span style=" font-family:'dejavu sans';"># /etc/openswan/ipsec.secrets</span><br>
<span style=" font-family:'dejavu sans';">mypublicIP BpublicIP : PSK "sharedkey"</span><br>
<span style=" font-family:'dejavu sans';">------------------------------------------------------------</span><br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-family:'dejavu sans';"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0; font-family:'dejavu sans';"><br></p><span style=" font-family:'dejavu sans';"> </span></p></body></html>