[vpn-help] -12 against ipsec-tools 0.6.6
Matthew Grooms
mgrooms at shrew.net
Thu Jul 27 11:07:36 CDT 2006
Peter Eisch wrote:
> This is closer. We get the ISAKMP config from the server (10.1.202.0/24,
> etc.) but it doesn't seem to get ack'd. The server never adds the SA
> entries, nor does the client seem to. At this point we just wither and all
> the routing still goes out the "normal" path. (Again: Hybrid 3des/md5/dh
> group 2; 3des/md5/pf 2. Server config has not changed, client config
> attached.)
>
It looks like its working properly. The problem appears to be that the
client is configured to request a split network list ...
> ii : determining required modecfg attributes
> ii : - IP4 Address
> ii : - IP4 Netamask
> ii : - IP4 DNS Server
> ii : - IP4 DNS Suffix
> ii : - Split DNS Domains
> ii : - IP4 WINS Server
> ii : - IP4 Split Network Include List
> ii : - IP4 Split Network Exclude List
> ii : sending isakmp config request
.... but none are being returned ...
> ii : received isakmp config reply
> ii : - IP4 Address = 10.1.202.0
> ii : - IP4 Netmask = 255.255.255.0
> ii : - IP4 DNS Server = 10.1.100.126
> ii : - IP4 WINS Server = 10.1.100.126
... I probably need to add a check for this and spit an warning out in
the client feedback window.
The problem is most likely due to no split network configuration being
defined in your modecfg section ...
mode_cfg {
network4 10.1.202.0;
pool_size 255;
netmask4 255.255.255.0;
auth_source system;
dns4 10.1.100.126;
wins4 10.1.100.126;
# default_domain "visionshareinc.com";
banner "/etc/racoon/motd";
pfs_group 2;
}
... If you are attempting to access the 10.1.100.0/24 network, you need
to add a statement to your modecfg section like so ...
split_network include 10.1.100.0/24;
... The alternative is to configure the client to force all traffic
across the tunnel. However, configuring split tunneling is the
recommended method of configuration. The cisco client was probably
working because it defaults to forcing all traffic if no split network
config is returned. Please let me know how this works out for you.
Also, If you have a chance, I would be interested to hear if the client
still works with the ca.crt moved back to the original location or if it
was the updated client that fixed the problem.
Thanks,
-Matthew
More information about the vpn-help
mailing list