Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Walter Padgett on May 05, 2003, 06:23:01 PM

Title: VPN - IPSEC
Post by: Walter Padgett on May 05, 2003, 06:23:01 PM

Good Morning,

I reinstalled, from scratch, E-Smith 5.6u at location A. Location B still had E-Smith v5.1.2 running at this time. I was able to setup the IPSEC tunnel and everything worked fine. Something happened though and it is now not working. I have no real point of reference to go on. I can ping both firewalls from another network but when I'm in front of either firewall, they won't ping each other. They will ping their and the other one's gateway.

After the tunnel went down, I reinstalled 5.6u on location B and still no luck. Is there something I can look at in location A that will tell me if it if denying access to the one specific IP?

Thanks for all the help, I appreciate it immensely.

Wally

Title: Re: VPN - IPSEC
Post by: Paul F on May 05, 2003, 10:26:27 PM

Which IPSEC contrib are you using?

What does ipsec eroute give you?

Title: Re: VPN - IPSEC
Post by: Walter Padgett on May 06, 2003, 12:07:31 AM

Here's the contrib I'm using on both ends:

dmc-mitel-freeswan-1.98-9sme56.noarch.rpm

Here's what ipsec eroute tells me: Note: last number has A or B according to location.

Location A:

35         164.58.148.A/32   -> 164.58.87.B/32   => %hold
28         164.58.148.A/32   -> 172.18.0.0/16      => %hold
0          172.17.0.0/16      -> 164.58.87.B/32   => %trap
0          172.17.0.0/16      -> 172.18.0.0/16      => %trap

Location B:

0          164.58.87.B/32   -> 164.58.148.A/32   => %trap
0          164.58.87.B/32   -> 172.17.0.0/16      => %trap
0          172.18.0.0/16      -> 164.58.148.A/32   => %trap
0          172.18.0.0/16      -> 172.17.0.0/16      => %trap

Any ideas?

Wally

Title: Re: VPN - IPSEC
Post by: Paul F on May 06, 2003, 09:16:35 PM

I am not sure but I used Lord Shads contrib and it is working (but I am seeing a problem again today, tunnel is down.)

To get it working I removed the dmc rpm and followed the above how to.

Title: Re: VPN - IPSEC
Post by: Wally on May 09, 2003, 10:03:04 AM

Good Evening,

Well, I would do the same thing, remove DMC and install Lord Shad's but it still doesn't address the issue of me not being able to ping the other side. I am able to ping the router from either side but when pinging the other firewall, it doesn't work. I have two firewalls at location A and only one at location B. I can ping the router and the second firewall at location A from B but can only ping the router from A primary firewall to B firewall, if that makes sense. I'm trying to figure out why they won't talk to each other.

On another note, I'm using the backup2ws contrib and used the default suggestion of what to backup. If I use that default selection, can I reformat the firewall at location A and use that backup to restore? Will it restore all the email as well as userid's? I'm not familiar enough with the directory structure of a linux box yet to know where what is.

Thanks for all the help,

Wally