RE: [m0n0wall] m0n0 <==> m0n0 IPSEC VPN

From:	"Keith Redfield" <kredfield at airsurfwireless dot com>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] m0n0 <==> m0n0 IPSEC VPN - diagnosing
Date:	Fri, 21 Jan 2005 20:21:49 -0800

Progress! I'm no longer sad! But I have SAD - both sides.

However I still can't get anything through the tunnel so I'm still a little down (haha) - what did I
miss?

My home network is 192.168.99.x work is 10.0.0.x and those subnets (/24 each) are the endpoints to
the tunnel. 

Pinging 10.0.0.1 (a cisco) fails from both m0n0 itself and my own cpu.

Do I need to add a route (I thought the tunnel did that automagically)??

Do I need to further modify firewall rules? (thought IPSEC was transparent...?)

Here's the happier SAD

*	SAD 

Source	 Destination	 Protocol	 SPI	 Enc. alg.	 Auth. alg.	 	
64.81.245.97	 64.81.53.41	 ESP	 0105023b	 blowfish-cbc	 hmac-md5	  	
64.81.53.41	 64.81.245.97	 ESP	 0c89c8ff	 blowfish-cbc	 hmac-md5	  	
TIA, and maybe I'll hit the wiki up with some more 'how to troubleshoot' on this. 

-Keith

________________________________

From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: Fri 1/21/2005 2:29 PM
To: Keith Redfield
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] m0n0 <==> m0n0 IPSEC VPN - diagnosing

On Thu, 20 Jan 2005 23:36:07 -0800, Keith Redfield
<kredfield at airsurfwireless dot com> wrote:
>
> Just want to clarify- if my SAD is empty I should be sad, right? (no VPN)
>

:)  yes, that's correct. 

> I think I typo'd the remote subnet entry on the other side. Is that enough to kill the
relationship entirely?
>

I don't believe that specific part would, but it might.  You almost
certainly have something mismatched.

-Chris