Salut, I have a problem with direct connection of two servers using IPsec. The IKE key exchange always comes up, but then it seems that both the routing and the encryption go entirely wrong.
The host exchange their internal addresses (10.16.1.1 and 10.1.1.1) as ID tokens for phase 2. However, if I try to ping 10.16.1.1 from 10.1.1.1, the packets go out the external interface - unencrypted. If, however, I replace the ID tokens with the corresponding IP subnets (10.16.0.0/16 and 10.1.0.0/16), I get an even more weird effect: * 10.16.0.0/16 can communicate with 10.1.0.0/16 just fine * 10.1.0.0/16 can communicate with 10.16.0.0/16 just as well * 10.16.1.1 can not reach 10.1.0.0/16, however, people in 10.1.0.0/16 can connect to 10.16.1.1 just fine * 10.1.1.1 can not reach 10.16.0.0/16, however, people in 10.16.0.0/16 can connect to 10.1.1.1 just fine [EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Listen-on= external_ip_address_of_wg Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] external_ip_address_of_sygroup= ISAKMP-peer-sygroup [Phase 2] Connections= IPsec-wg-sygroup [ISAKMP-peer-sygroup] Phase= 1 Transport= udp Local-address= external_ip_address_of_wg Address= external_ip_address_of_sygroup [IPsec-wg-sygroup] Phase= 2 ISAKMP-peer= ISAKMP-peer-sygroup Configuration= Default-quick-mode Local-ID= Net-wg Remote-ID= Net-sygroup [Net-wg] ID-type= IPV4_ADDR_SUBNET Network= 10.16.0.0 Netmask= 255.255.0.0 [Net-sygroup] ID-type= IPV4_ADDR_SUBNET Network= 10.1.0.0 Netmask= 255.255.0.0 # Quick mode description [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-TWOFISH-SHA-PFS-SUITE [EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Listen-on= external_ip_of_sygroup Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] external_ip_of_wg= ISAKMP-peer-wg [Phase 2] Connections= IPsec-sygroup-wg [ISAKMP-peer-wg] Phase= 1 Transport= udp Local-address= external_ip_of_sygroup Address= external_ip_of_wg [IPsec-sygroup-wg] Phase= 2 ISAKMP-peer= ISAKMP-peer-wg Configuration= Default-quick-mode Local-ID= Net-sygroup Remote-ID= Net-wg [Net-wg] ID-type= IPV4_ADDR_SUBNET Network= 10.16.0.0 Netmask= 255.255.0.0 [Net-sygroup] ID-type= IPV4_ADDR_SUBNET Network= 10.1.0.0 Netmask= 255.255.0.0 # Quick mode description [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-BLF-SHA-PFS-SUITE (This is the config where the clients can actually connect to each other. If I replace the Network= with Address= and set ID-type to IPV4_ADDR, the two routers still can't connect to each others, but neither can the clients.) The point of the whole "exercise" is that I have a lot of IPsec nodes and should propagate their routes using some routing protocol. Any ideas on how to make the two routers talk to each other? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]