[vpn-help] Policy configuration
Matthew Grooms
mgrooms at shrew.net
Tue Mar 14 03:38:45 CST 2006
Michael Ragusa wrote:
> i just tried out the new beta8 client and it was able to establish a
> tunnel but the problem is that im not able to ping the internal gateway
> or telnet to any services on the gateways internal interface nor am i
> able to ping any machines on the inside net
>
Well, the good news is that it looks like all the negotiations are being
completed without an issue and esp transport packets are being emitted
from the client. Do you have a firewall running on the gateway? If so,
you will need to add rules to allow the 10.246.37.0/24 network to
communicate with the 10.246.38.0/24 network. Otherwise they will be
blocked after ipsec processing. You could try to run a tcpdump on the
external interface of your gateway to determine if the NAT-T transport
packets are arriving from the client. For example, you could try ...
tcpdump -i <external interface> udp and port 4500
... and then ping the 10.246.38.1 address. If the packets are getting to
the gateway, you should see them in the tcpdump. I can't imagine why
they wouldn't be since the same trasport/ports are being used for the
isakmp negotiations.
What OS and firewall package are you running?
-Matthew
More information about the vpn-help
mailing list