Topic: Freeswan

[Tony Howden]

Hi All

I've got two 5.5u6 servers up and running with the freeswan contrib from daryl.

The two servers talk to each other just fine. But I cannot get to any of the workstations or other machines behind the servers.

I've searched the forums and it seems that this is not an issue for anyone else. Can someone please give me some ideas of where to look to fix this.

TIA

Tony

[Lloyd Keen]

Did you add the remote networks IP into the "Local Network" panel in the server-manager? Try doing a remote access update (#/sbin/e-smith/signal-event remoteaccess-update) Try restarting IPSec at both ends after you have done all this.

[Tony Howden]

Hi Lloyd

I have the local network configs done as per the how-to and just as a precaution have tried the /sbin/e-smith/signal-event remoteaccess-update as well as a full reboot of the servers.

The ipsec connections come up fine and I have tested ping, traceroute, and browsing the web server(s) from the opposite side. No problems. But I cannot ping or traceroute to the servers behind the gateways.

Doing a trace from one server to the other gives me the relevant local ip in one hop. Trace from a server to a workstation on the other side gives me a hop to the external ip address and then nothing. Makes me wonder if the routing is not right.

cheers
Tony

[Lloyd Keen]

It certainly sounds like the firewall is blocking the packets. Try doing a route -n at both ends and compare the results. Maybe try removing the "Local Network" and re add it. Also just check /etc/smb.conf and make sure that you have a hosts allow entry in there for the remote network.

[Tony Howden]

Hi

The routes appear ok and I am assuming that the .rpm setup from Daryl is working for other people and therefore it must be something peculiar to my config.

Both ends have fixed ip addresses with a 255.255.255.252 mask for a total of 4 ips for network, gateway, server i/f, and b/cast.

The route -n reveals that a packet destined for the internal lan at the opposite end is directed to the external gateway for the local server. This puzzles me slightly, but again, I am assuming that this is how the freeswan .rpm is meant to be.

I would not have thought samba would affect the tcp/ip packet transfer, certainly it would block netbios calls but I am not even getting that far.

cheers
Tony


>It certainly sounds like the firewall is blocking the packets. Try doing a route -n >at both ends and compare the results. Maybe try removing the "Local Network" >and re add it. Also just check /etc/smb.conf and make sure that you have a >hosts allow entry in there for the remote network.

[steve]

do the hosts on each network know how to get the other network?
meaning hosts on network A have routes added pointing to network B and  vice versa?
this usually happens when the sme servers are not the default gateway for their network

seve

[Tony Howden]

Hi Steve & All

Thanks for your suggestion and as it happens I had just found a similar problem described and resolved here http://www.e-smith.org/bboard//read.php?f=3&i=38097&t=38085&v=f

For those that might be following in my footsteps the resolution is:

I have multiple sme servers and two internet connections. One is the main outbound server for web browsing and the other is specifically for a vpn connection. The problem with not getting connected was simply that the ping packets were being accepted into the network but the workstations and other servers beyond the gateway all pointed to the main gateway as a default route and it knew nothing about the vpn remote lan.  

Adding the remote LAN as a local network in the server-manager on the second server fixed the routing issue.

Thanks to all for your help, direct and indirect, keep the posts coming.

cheers
Tony

[.nate]

Tony Howden wrote:

> Hi Steve & All
>
> Thanks for your suggestion and as it happens I had just found
> a similar problem described and resolved here
> http://www.e-smith.org/bboard//read.php?f=3&i=38097&t=38085&v=f


Where is this post?
Did we loose all this important information?



 
> For those that might be following in my footsteps the
> resolution is:
>
> I have multiple sme servers and two internet connections. One
> is the main outbound server for web browsing and the other is
> specifically for a vpn connection. The problem with not getting
> connected was simply that the ping packets were being accepted
> into the network but the workstations and other servers beyond
> the gateway all pointed to the main gateway as a default route
> and it knew nothing about the vpn remote lan.  
>
> Adding the remote LAN as a local network in the
> server-manager on the second server fixed the routing issue.
>
> Thanks to all for your help, direct and indirect, keep the
> posts coming.
>
> cheers
> Tony

[%sig%]

[Lloyd Keen]

Nate,
This is probably it, http://forums.contribs.org/index.php?topic=8658.msg32470#msg32470


[%sig%]