|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alexey Vatchenko (av
bsdua.org)
Date: Fri Feb 29 2008 - 16:39:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi!
Thanks for reply!
Markus Wernig wrote:
> From my point of view the problem is that you use the same network
> range 192.168.0/24 in your home and office. Off the top of my head I'd
> say that this should not work. The routing entries look a bit scary,
> actually. If I had the same setup, I'd try one of the following:
> - change the home network to something else than 192.168.0/24
No, i don't use same network address for two networks.
Actually, the problem is here (take a look at "flow esp out"):
office-gw$ sudo ipsecctl -s all
FLOWS:
flow esp in from 0.0.0.0/0 to 192.168.0.0/24 peer HOME_GATEWAY srcid
OFFICE_GATEWAY/32 dstid avbsdua.org type use
flow esp out from 192.168.0.0/24 to 0.0.0.0/0 peer HOME_GATEWAY srcid
OFFICE_GATEWAY/32 dstid avbsdua.org type require
flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
SAD:
esp tunnel from HOME_GATEWAY to OFFICE_GATEWAY spi 0x5d3e6f12 auth
hmac-sha2-256 enc aes
esp tunnel from OFFICE_GATEWAY to HOME_GATEWAY spi 0x7072ca39 auth
hmac-sha2-256 enc aes
It's because of:
ike passive esp from 192.168.0.0/24 to any local egress dstid
avbsdua.org psk xxx
To any! But what should i use if i don't know peer's address?
How ike rule should be specified to create flow with peer's address
instead of 0.0.0.0/0?
--
Alexey Vatchenko
http://www.bsdua.org
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]