Hi!
Thanks for reply!
Markus Wernig wrote:
From my point of view the problem is that you use the same network
range 192.168.0/24 in your home and office. Off the top of my head I'd
say that this should not work. The routing entries look a bit scary,
actually. If I had the same setup, I'd try one of the following:
- change the home network to something else than 192.168.0/24
No, i don't use same network address for two networks.
Actually, the problem is here (take a look at "flow esp out"):
office-gw$ sudo ipsecctl -s all
FLOWS:
flow esp in from 0.0.0.0/0 to 192.168.0.0/24 peer HOME_GATEWAY srcid
OFFICE_GATEWAY/32 dstid [EMAIL PROTECTED] type use
flow esp out from 192.168.0.0/24 to 0.0.0.0/0 peer HOME_GATEWAY srcid
OFFICE_GATEWAY/32 dstid [EMAIL PROTECTED] type require
flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass
flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass
SAD:
esp tunnel from HOME_GATEWAY to OFFICE_GATEWAY spi 0x5d3e6f12 auth
hmac-sha2-256 enc aes
esp tunnel from OFFICE_GATEWAY to HOME_GATEWAY spi 0x7072ca39 auth
hmac-sha2-256 enc aes
It's because of:
ike passive esp from 192.168.0.0/24 to any local egress dstid
[EMAIL PROTECTED] psk xxx
To any! But what should i use if i don't know peer's address?
How ike rule should be specified to create flow with peer's address
instead of 0.0.0.0/0?
--
Alexey Vatchenko
http://www.bsdua.org
