On Thu, Jul 27, 2006 at 04:06:44PM +0200, Marco Berizzi wrote:
>
> conn pass
> left=172.16.1.1
> leftsubnet=172.16.0.0/23
> right=172.16.1.253
> rightsubnet=10.180.0./16
> type=passthrough
> authby=never
> auto=route
>
> After running 'ipsec auto --add pa
On Thu, 2006-07-27 at 17:25 +0200, Marco Berizzi wrote:
> Andy Gay wrote:
>
> >As Herbert said, the right= address doesn't matter. Search for 10.180.
>
> If it doesn't matter, who told to linux to send packets for
> 10.180.0.0/16 to 172.16.1.253?
You're confusing routing with IPsec policy.
Your
Andy Gay wrote:
As Herbert said, the right= address doesn't matter. Search for 10.180.
If it doesn't matter, who told to linux to send packets for
10.180.0.0/16 to 172.16.1.253?
BTW - in your erlier mail you had "rightsubnet=10.180.0./16". Looks like
a typo there.
yes it was a typo.
-
To
On Thu, 2006-07-27 at 16:36 +0200, Marco Berizzi wrote:
> Andy Gay wrote:
>
> >It's a function of the IPsec SADB.
(That should have beed SPDB, of course... :)
> The passthrough conn added a more
> >specific policy that will match before the tunnel policy.
> >You can run 'ip xfrm p' and 'ip xfrm
Andy Gay wrote:
It's a function of the IPsec SADB. The passthrough conn added a more
specific policy that will match before the tunnel policy.
You can run 'ip xfrm p' and 'ip xfrm s' to view the policies & state
info.
I did, but no results:
ip x p | grep '172.16.1.253'
nor
ip x s | grep '17
On Thu, 2006-07-27 at 16:06 +0200, Marco Berizzi wrote:
> Herbert Xu wrote:
>
> >Marco Berizzi <[EMAIL PROTECTED]> wrote:
> > >
> > > 172.16.0.0/23 dev eth2 proto kernel scope link src 172.16.1.1
> > > 10.180.0.0/16 via 172.16.1.253 dev eth2
> > > 10.0.0.0/8 via pub_ip dev eth0
> > > 127.0.0.0/
Herbert Xu wrote:
Marco Berizzi <[EMAIL PROTECTED]> wrote:
>
> 172.16.0.0/23 dev eth2 proto kernel scope link src 172.16.1.1
> 10.180.0.0/16 via 172.16.1.253 dev eth2
> 10.0.0.0/8 via pub_ip dev eth0
> 127.0.0.0/8 dev lo scope link
>
> I have noticed that packets for 10.180.0.0/16 network
>
Marco Berizzi <[EMAIL PROTECTED]> wrote:
>
> 172.16.0.0/23 dev eth2 proto kernel scope link src 172.16.1.1
> 10.180.0.0/16 via 172.16.1.253 dev eth2
> 10.0.0.0/8 via pub_ip dev eth0
> 127.0.0.0/8 dev lo scope link
>
> I have noticed that packets for 10.180.0.0/16 network
> are eaten by the ip
Hello everybody.
I'm running linux 2.6.16.27 on my firewall/ipsec gateway
with openswan 2.4.5
This is my firewall/network schema:
|
| /--eth0 (connected to ISP router)
|/
+--+--+
| |
| +--eth1 (DMZ)
| |
+--+--+
|\
| \--eth2 (internal network 172.16.0.0/23)
|
+-+
| | <--r
