[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Users] IPSec WinXP interop

Antony Gelberg wrote:
Right, I've upgraded to freeswan 2.01 from backports.org.  This was
because the 1.96 that I was using from Woody didn't recognise the
leftprotoport and rightprotoport commands.  I apt-got the source,
grepped, and sure enough they weren't there.  This leads me to believe
that the
But now I have a different problem.  Upon reboot (recompiled the kernel
with the 2.01 patch), I couldn't ssh in.  Doh!  I was just able to get
onsite, and there was a problem with the routing table.

Kernel IP routing table
Destination     Gateway         Genmask         Metric Ref    Use
localnet        *      0      0        0 eth1
localnet        *      0      0        0 ipsec0        *            0      0        0 eth0
default       0      0        0 ipsec0       0      0        0 ipsec0
default         0      0        0 eth1

What happens is that pings in or out cause the ipsec0 packet transmit
count to increase, and that's about it.  I had to /etc/init.d/stop ipsec
to get connectivity back.

I've googled a bit and don't see the answer.  Best I could come up with
was http://lists.virus.org/freeswan-0307/msg00363.html.  This states
that OE can cause freeswan to take over the default route.  But I don't
want OE, and I can't for the life of me work out how to switch it off.
I think it has something to do with the default policies that 1.96
didn't have, but I also can't work out how to switch them off.


Disabling Opportunistic Encryption

To disable OE (eg. policy groups and packetdefault), cut and paste the following lines to /etc/ipsec.conf:

conn block

conn private

conn private-or-clear

conn clear-or-private

conn clear

conn packetdefault



Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

Reply to: