[vpn-help] -12 against ipsec-tools 0.6.6
Matthew Grooms
mgrooms at shrew.net
Thu Jul 27 14:12:46 CDT 2006
Peter Eisch wrote:
>
> How about I go little different direction and put the server on a different
> LAN where no servers linger? I moved it to 10.1.101.26. All other
> config/environment information remains the same.
>
The servers wan/lan address has little to no bearing on the client
operating correctly. For the client to work, it needs to know what
traffic to pass across the tunnel. This is the equivalent of an SPD
entry on *nix ( ie setkey ... ). There are several ways to accomplish this.
1) You have the server describe which networks to tunnel. This is split
include (strongly recommended). The server must have "split_network
include" in racoon mode_cfg section.
2) You have the server describe which networks not to tunnel. This is
split exclude. The server can optionally have "split_network local_lan"
in racoon mode_cfg section.
3) You manually define the include or exclude information in the client.
Here is the current situation. The client is connecting properly but has
no idea what traffic to forward across the tunnel. Its requesting a
network list from the server via modecfg. Racoon receives the request
but has no split networks defined in its mode_cfg section. For this
reason it can't reply with the information the client needs to operate.
I understand that the cisco client is working. When it receives no split
network list from the server, it falls back to option (2) which is
tunnel everything with no exclusions ( except possibly local lan traffic ).
The shrew soft client is much more highly configurable which is a double
edged sword in this case. I suppose we could adopt the cisco client
methodology here but my preference would be to make it break with useful
debug feedback ( missing at the moment ) than have it work with a
mismatched configuration.
Again, thanks for your efforts testing the client out. You have already
helped identify two bugs so far. Very much appreciated!
-Matthew
More information about the vpn-help
mailing list