From: Matthew G. <mg...@sh...> - 2007-05-03 13:26:10
|
Igor Smitran wrote: > Can anyone help me with this: > > server setup: > > public ip 217.xxx.xxx.5 > local ip 192.168.200.1 > > racoon.conf: > path certificate "/etc/racoon/certs"; > #option of controlling racoon by racoonctl tool is disabled > listen { > adminsock disabled; > } > #remote section . anonymous address of roadwarrior client > remote anonymous { > exchange_mode aggressive,main; > my_identifier asn1dn; > certificate_type x509 "key.pem" "key-dec.key"; > proposal_check obey; > generate_policy on; > verify_cert on; > nat_traversal on; > dpd_delay 20; > ike_frag on; > initial_contact on; > proposal { > encryption_algorithm aes; > hash_algorithm md5; > authentication_method hybrid_rsa_server; > dh_group 2; > } > } > mode_cfg { > pool_size 253; > auth_source radius; # login validated against RADIUS > conf_source radius; # IPv4 address obtained by RADIUS > accounting radius; # RADIUS accounting > dns4 192.168.200.1; > wins4 192.168.200.1; > #banner "/etc/racoon/motd"; > save_passwd on; > } > sainfo anonymous { > pfs_group 2; > lifetime time 2147483 seconds; > encryption_algorithm aes; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > clients get ip address from radius and it is from 192.168.201.0/24 > > i am able to connect with cisco vpn client and to ping internal LAN. But, i > am losing internet connection, i can't make split tunnel with cisco vpn > client. Does anyone know how to tell cisco vpn client to use ipsec tunnel > only for some addresses and for the rest to use default gateway? I know this > is less secure, but i have to do it that way :( > > Second problem: > i am able to connect to server with shrewsoft latest beta (also tried with > 1.1.0 stable) but i can't ping ipsec server. I think it is because of > security policies but i have tried lot of combinations and nothing works. > Can anyone tell me some magic? :) > > I am connectiing from NATed computer, but i have also tried connecting from > public ip and it is the same :( > > Thank you, > Igor > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |