[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: vpn problem..

Hash: SHA1

R.M. Evers wrote:
| hello,
| i'm having some problems implementing a vpn configuration, and i'm
| hoping you guys could help me out here. we are hosting a debian sarge
| server for one of our customers, and they need to communicate with this
| server over the internet securely. to accomplish this, i want to create
| a vpn between the debian server and their network. for my test setup,
| this is what i did:
| on the left side of the vpn (debian sarge server):
| - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack and
|   crypto modules
| - installed freeswan and ipsec-tools
| - this server has two NIC's:
|     * eth0 is connected to the internet, and has an external IP, let's
|       say
|     * eth1 is _not_ connected, but i assigned an internal IP to it:
| - setup iptables to accept the esp packets and IKE messages (udp/500)
|   from the right side (
| - configured freeswan for the vpn:
|     --
|     conn foo-bar
|       left=
|       leftsubnet=
|       leftnexthop=
|       right=
|       rightsubnet=
|       authby=secret
|       auto=start
|     --
| on the right side i set up a simple test network behind a netscreen
| appliance ( and configured the vpn.
| now, i can start the vpn and it works when i try to connect from right
| to left (let's say, from to tcpdump shows me
| esp packets, and everything works fine.

Does tcpdump show out-going and returning packets?

| now here's the problem: i cannot connect from left to right (i.e., from
| the debian server to a machine inside the right network). when i follow
| the tcpdump when i nmap a machine in the right network (, i
| can see packets going from to so it's not
| travelling the vpn and i don't have a clue why. i'm kind of a n00b at
| this stuff, so i was amazed i actually got this far. but does anyone
| know what i have to do to have a fully functional bidirectional vpn? or
| is my setup just, well, plain stupid?? :-) it must be noted that in the
| future it is likely that more parties will have to connect to this
| server via an extra vpn.

Depending on the answer above, if you are not seeing returning packets,
check netstat -rn on the left server and check the routing table shows
the left-side subnet and that they are being routed through the correct


Version: GnuPG v1.2.5 (GNU/Linux)


Reply to: