Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > freeswan limitation regarding networks??

Reply
Thread Tools Display Modes

freeswan limitation regarding networks??

 
 
Agent Smith
Guest
Posts: n/a

 
      06-17-2004, 09:45 PM
I recently loaded freeswan on a linux box here to experiment with our
checkpoint firewall. It works (sort of) but here is the problem.

here is my ipsec.conf (addresses are made up)

version 2.0
config setup
conn %default
type=tunnel
keyingtries=3
left=68.74.xxx.xxx
right=208.217.xxx.xxx
leftnexthop=68.74.xxx.xxx
ikelifetime=1h
rekeymargin=10m
rekeyfuzz=40%
keylife=1h
keyexchange=ike
auth=esp
pfs=no
auto=start
authby=secret
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
conn checkpoint1
leftsubnet=192.168.60.0/24
rightsubnet=143.17.0.0/16
conn checkpoint2
rightsubnet=143.17.0.0/16

I have a class B subnet (subneted into multiple class Cs) behind the
208.217.xxx.xxx
firewall (checkpoint NG FP3).

With the above ipsec.conf, it doesn't work and produce the following
message in the logs when I try to connect from 143.17.3.28 machine
into 192.168.60.5 (a pc behing linux)

cannot respond to IPsec SA request because no connection is known for
68.74.xxx.xxx...208.217.xxx.xxx===143.17.3.0/25


so I added the following into ipsec.conf and then it woked fine
conn abc
rightsubnet=143.17.3.0/25

but you see I shouldn't have to do that since 143.17.3.28 is part of
143.17.0.0/16 as defined in conn checkpoint2.


is this a limitation of freeswan or am I missing something?


here are some outputs that might help

# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux FreeS/WAN U2.05/K2.0.2
Checking for IPsec kernel support: found KLIPS
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: sername
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse map: xxx.xxx.74.68.in-addr.arpa.
[MISSING]


# uname -a
Linux sername 2.4.23 #5 SMP Fri Jun 11 08:16:29 EDT 2004 i686 unknown
pptp:~# cat /etc/debian_version
3.0


# ipsec auto --status
000 interface ipsec0/ppp0 68.74.xxx.xxx
000 %myid = (none)
000 debug none
.....


anyone?
 
Reply With Quote
 
 
 
Reply

« HTB is not fair? Look at this graph... | Red Hat FTP client broken »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ip traffic limitation news.microsoft.com Windows Networking 1 10-06-2005 06:44 AM
Bandwith limitation Windows Networking 1 10-28-2004 07:06 AM
outlook limitation andrew Windows Networking 0 10-04-2004 02:15 AM
ISP limitation or MS Outlook / Outlook Express limitation? AMO Broadband 11 09-28-2004 04:14 PM
MN-710 WEP security Key limitation Keith Broadband Hardware 1 07-11-2004 01:22 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11