[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

more ipsec problems

To: tech@openbsd.org
Subject: more ipsec problems
From: "Trevor R.H. Clarke" <retrev@csh.rit.edu>
Date: Mon, 07 Feb 2000 14:39:43 -0500
Content-ID: <24838.949952382.1@mail.csh.rit.edu>

Ok, I got ISAKMP working between the workstation in my office and my home
network. However, my topology doesn't seem to be working perhaps someone can
suggest something. Here's the setup (external IP's have been changed to 10.
network to protect against lurking kiddies :) ).

HOME:

user boxes -- Catalyst 2100 switch --- doors (OBSD 2.6) --- cable modem
192.168.60.x   192.168.60.1          192.168.60.254     10.0.1.1


WORK:
Inet connection --- internal network --- daemon (OBSD 2.6)
				    10.1.253.60


I have an isakmpd organized ipsec tunnel between daemon and doors. I can reach
192.18.60.x from daemon and vice versa (through the tunnel). I have 10.0.253.x
addresses for each machine in 192.168.60.x and use ipnat to translate to the
internal addresses. After the tunnel is up for about 30 seconds or a minute,
some hosts become unreachable from daemon....some subnets in the 10.1.x.x
network are reachable, some are not. All in 10.1.253.x are reachable. Some
external (internet) are reachable but most are not.

I would like daemon to function the same when the tunnel is up as when it is
down. When the tunnel is up, connections to 10.1.253.x should forward down the
tunnel to the appropriate 192.168.60.x addresses. Most requests to external
addresses from the 192.168.60.x addresses should translate to 10.0.1.1.
Connections to certain addresses from 192.168.60.x should move down the tunnel
to be translated to 10.1.253.x addresses. (ex. quake servers, etc....not many
so these could be implemented as static routes on 192.168.60.254) nat on doors
works fine(has for a few months) so it is just the tunnel that is causing
problems. The ISAKMP setup I'm using is the sample one with IP's changed and
different crypto schemes used (Blowfish/small MD5 as doors is a 486dx4-100 so
it's not speedy).
------------------
Trevor R.H. Clarke                     Computer Science House
Rochester Institute of Technology      Systems Programmer for ISC
retrev@csh.rit.edu                     trcsys@rit.edu
http://www.csh.rit.edu/~retrev/        finger retrev@csh.rit.edu for PGP key

Prev by Date: Re: ISAKMP problem
Next by Date: binutils 2.9.1 and OpenBSD?
Prev by thread: Re: ISAKMP problem
Next by thread: binutils 2.9.1 and OpenBSD?
Index(es):
- Date
- Thread