[Openswan Users]

[Paul Wouters]

On Thu, 29 Dec 2005, Pat Fricke wrote:

> Long and short of it is I have a tunnel established by a road warrior
> LinkSys router but the workstations cannot connect to the SAMBA shares. Both
> the secure log on the Fedora box and the LinkSys router show the tunnel is
> connected (STATE_QUICK_R2: IPsec SA established {ESP=>0xadec39d6 <0x77944d7f
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

> -A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT

> -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT

That is not correct. The originating port is not neccessarily 4500. It could be
a random high port (since the client could be behind a NAT gateway).

> config setup
>             interfaces=%defaultroute
>             klipsdebug=none
>             plutodebug=none
>             uniqueids=yes

You did not enable nat traversal on purpose?

> conn %default
>     authby=secret
>
> conn vpn
>     left=xxx.xxx.xxx.xxx (real world ip)
>     leftid= xxx.xxx.xxx.xxx (real world ip)
>     leftnexthop= xxx.xxx.xxx.xxx (real world gateway ip)
>     right=%any
>     rightnexthop=%defaultroute
>     rightsubnet=192.168.0.0/24
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=60m
>         pfs=yes
>         compress=no
>     auto=add

You should be very careful playying with these layouts like that. The parser
is very dumb. It looks ok otherwise

Check with ipsec verify and otherwise post a link to your ipsec barf output.
Please do not anonimize, since it will be next to impossible to detect
configuration mistakes.

Paul