[Openswan Users] NETKEY issue with RoadWarrior connection to Checkpoint R65
Ondrej Valousek
webserv at s3group.cz
Fri Dec 18 03:37:55 EST 2009
Hi Paul,
No, it does not (note I am not using L2TP):
root at ondar ~]# ip xfrm policy
src 192.168.60.0/24 dst 193.86.86.100/32 proto tcp
dir in priority 2088
tmpl src 193.85.188.83 dst 193.86.86.100
proto esp reqid 16389 mode tunnel
src 193.86.86.100/32 dst 192.168.60.0/24 proto tcp
dir out priority 2088
tmpl src 193.86.86.100 dst 193.85.188.83
proto esp reqid 16389 mode tunnel
src 192.168.60.0/24 dst 193.86.86.100/32 proto tcp
dir fwd priority 2088
tmpl src 193.85.188.83 dst 193.86.86.100
proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
[root at ondar ~]# ip xfrm state
src 193.86.86.100 dst 193.85.188.83
proto esp spi 0xd422f931 reqid 16389 mode tunnel
replay-window 32
auth hmac(sha1) 0x9e86e3a35aafa69877304694d0bed95836a96322
enc cbc(des3_ede)
0x50ea5d294af956f623b66f3e4819640fb982c47b8fd9b631
src 193.85.188.83 dst 193.86.86.100
proto esp spi 0x8f17a537 reqid 16389 mode tunnel
replay-window 32
auth hmac(sha1) 0x4be8c3c3d199ab0981b8b6904c4d74f04997b982
enc cbc(des3_ede)
0xbc53fad0ee86da3464e9b7717d8047302ed33c54559c0db7
Regards,
Ondrej
On 17.12.2009 22:50, Paul Wouters wrote:
> On Thu, 17 Dec 2009, Ondrej Valousek wrote:
>
>> I did not configure the policy properly on the firewall. Now it works
>> fine (always glad when I can answer
>> myself :-)
>> Funny thing is, that the *protoport option is completely ignored
>> (everything that belongs to the 192.168.60.x
>> subnet is being tunneled to the other side).
>
> Can you show "ip xfrm policy" and "ip xfrm state". Does it show the
> 1701 ports?
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091218/ce2a4645/attachment-0001.html
More information about the Users
mailing list