Here's my current setup:
(Home Computer, IP=192.168.1.2)
|
(Internal Interface, IP=192.168.1.1)
(ASL 4.020 doing DNAT and SNAT)
(External Interface, static IP=x.x.x.x)
|
(Internet)
|
(remote Linux server running FreeS/WAN 2.04, static IP=y.y.y.y)
I would like to establish a tunnel between x.x.x.x and y.y.y.y so that the only traffic between the two is UDP and ESP. I want the IPSec tunnel to look like a host-to-host tunnel (in other words, I would like to have the IPSec tunnel start after all SNAT has been done for packets going from my home computer to the remote server. That way the remote server can't see all the machines inside my internal network).
The IPSec connection in ASL is defined like this:
Type=Standard
IPSec Policy=3DES_PFS_COMP
Local Endpoint=External interface
Remote Endpoint=y.y.y.y/32
Local Subnet=::None::
Remote Subnet=::None::
Key=RSA public key for y.y.y.y
ipsec.conf on y.y.y.y looks like this:
Code:
conn tohome
type=tunnel
left=x.x.x.x
right=y.y.y.y
rightnexthop=(default gateway for y.y.y.y)
keyexchange=ike
auto=start
authby=rsasig
leftid=@hostname.for.x.x.x.x
rightid=@hostname.for.y.y.y.y
leftrsasigkey=(public rsa key goes here)
rightrsasigkey=(public rsa key goes here)
pfs=yes
keylife=3600
ikelifetime=7800
compress=yes
The IPSec tunnel seems to establish without problems (the logs on both sides don't show any errors), but once the tunnel is up I can't ping y.y.y.y from x.x.x.x (and vice-versa). I can ping if the tunnel is taken down.
Oddly, when the tunnel is up, if I ping from my home machine 192.168.1.2, the ping request shows up at y.y.y.y outside of the tunnel (the ICMP packet isn't embedded in an ESP packet). If I ping from the ASL box, the packet is embedded in an ESP packet. However, no matter which machine I ping from, I never get a reply from y.y.y.y (nothing ever leaves eth0 on y.y.y.y) as long as the tunnel is up.
Is this a routing issue? How would I fix it?
Thanks in advance!
This thread was automatically locked due to age.
