Hi Bjorn,
agree with the strength of Linux.
I haven't got a firewall running at the moment because of the testing.
I will attach the output file of a couple of ipsec commands (look, whack --status, and barf) from the road warrior machine.
Your help and time much appreciated. The bummer is that at the moment there seems to be a bug in the subscription to the freeswan mailing list, which does not allow me to subscribe.
 
hope this helps
=============================================================

devil  Thu Nov 28 15:09:10 GMT 2002
62.137.60.176/32   -> 128.0.0.0/16       => tun0x1002@217.33.203.132 esp0x961da59@217.33.203.132  (0)
ipsec0->ppp0 mtu=16260(1500)->1500
esp0x961da59@217.33.203.132 ESP_3DES_HMAC_MD5: dir=out src=62.137.60.176 iv_bits=64bits iv=0x0344f570573b464d ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(173,0,0)
esp0xfb787aeb@62.137.60.176 ESP_3DES_HMAC_MD5: dir=in  src=217.33.203.132 iv_bits=64bits iv=0x0a24fb1ee77907b8 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(173,0,0)
tun0x1001@62.137.60.176 IPIP: dir=in  src=217.33.203.132 life(c,s,h)=addtime(173,0,0)
tun0x1002@217.33.203.132 IPIP: dir=out src=62.137.60.176 life(c,s,h)=addtime(173,0,0)
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         195.92.66.125   0.0.0.0         UG       40 0          0 ppp0
128.0.0.0       195.92.66.125   255.255.0.0     UG       40 0          0 ipsec0
195.92.66.125   0.0.0.0         255.255.255.255 UH       40 0          0 ipsec0
195.92.66.125   0.0.0.0         255.255.255.255 UH       40 0          0 ppp0
000 interface ipsec0/ppp0 62.137.60.176
000 
000 "devil-zara": 62.137.60.176[@devil.iosystems.co.uk]---195.92.66.125...217.33.203.132[@iort3.iosystems.co.uk]===128.0.0.0/16
000 "devil-zara":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "devil-zara":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: ppp0; erouted
000 "devil-zara":   newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
000 
000 #2: "devil-zara" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27656s; newest IPSEC; eroute owner
000 #2: "devil-zara" esp.961da59@217.33.203.132 esp.fb787aeb@62.137.60.176 tun.1002@217.33.203.132 tun.1001@62.137.60.176
000 #1: "devil-zara" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2630s; newest ISAKMP
000 
devil

----------------------------------------------------------------------------

+ cat /proc/version
Linux version 2.4.19-xfs (root@linux) (gcc version 2.95.3 20010315 (release)) #2 Sat Aug 31 09:15:43 EST 2002
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
0          62.137.60.176/32   -> 128.0.0.0/16       => tun0x1002@217.33.203.132
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
195.92.66.125   0.0.0.0         255.255.255.255 UH       40 0          0 ppp0
195.92.66.125   0.0.0.0         255.255.255.255 UH       40 0          0 ipsec0
128.0.0.0       195.92.66.125   255.255.0.0     UG       40 0          0 ipsec0
10.20.0.0       0.0.0.0         255.255.0.0     U        40 0          0 eth0
0.0.0.0         195.92.66.125   0.0.0.0         UG       40 0          0 ppp0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
tun0x1002@217.33.203.132 IPIP: dir=out src=62.137.60.176 life(c,s,h)=addtime(252,0,0)
tun0x1001@62.137.60.176 IPIP: dir=in  src=217.33.203.132 life(c,s,h)=addtime(252,0,0)
esp0x961da59@217.33.203.132 ESP_3DES_HMAC_MD5: dir=out src=62.137.60.176 iv_bits=64bits iv=0x0344f570573b464d ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(252,0,0)
esp0xfb787aeb@62.137.60.176 ESP_3DES_HMAC_MD5: dir=in  src=217.33.203.132 iv_bits=64bits iv=0x0a24fb1ee77907b8 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(252,0,0)
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002@217.33.203.132 esp0x961da59@217.33.203.132
tun0x1001@62.137.60.176 esp0xfb787aeb@62.137.60.176
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
    sock   pid   socket     next     prev e n p sndbf    Flags     Type St
c47a0b50  2867 c712c1d4        0        0 0 0 2 65535 00000000        3  1

---------------------------------------------------------------------------------------------------------

+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos
debug_ah:-1
debug_eroute:-1
debug_esp:-1
debug_ipcomp:-1
debug_netlink:2147483647
debug_pfkey:-1
debug_radij:-1
debug_rcv:-1
debug_spi:-1
debug_tunnel:-1
debug_verbose:0
debug_xform:-1
icmp:1

--------------------------------------------------------------------------------------

+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routephys=ppp0
routevirt=ipsec0
routevirt=ipsec0
routeaddr=62.137.60.176
routeaddr=62.137.60.176
routenexthop=195.92.66.125
routenexthop=195.92.66.125
defaultroutephys=ppp0
defaultroutevirt=ipsec0
defaultrouteaddr=62.137.60.176
defaultroutenexthop=195.92.66.125
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor

#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.



# basic configuration
config setup
      # THIS SETTING MUST BE CORRECT or almost nothing will work;
      # %defaultroute is okay for most simple cases.
      interfaces=%defaultroute
      # Debug-logging controls:  "none" for (almost) none, "all" for lots.
      klipsdebug=all
      plutodebug=all
      # Use auto= parameters in conn descriptions to control startup actions.
      plutoload=%search
      plutostart=%search
      # Close down old connection when new one using same ID shows up.
      uniqueids=yes



# defaults for subsequent connection descriptions
#conn %default
      #Use RSA based authentication with certificates
      #how persistent to be in (re)keying negotiations (0 means very)
#      keyingtries=3
      #How to authenticate gateways
#      authby=rsasig
#      auto=start

#Devil-Zara tunnel
#The network here looks like:
#      leftsubnet=======left--------leftnexthop....Dynamic IP.
#If left and right are on the same Ethernet, omit leftnexthop and rightnexthop.
conn devil-zara
      #How to authenticate gateways
      authby=rsasig
      #Identity we use in authentication exchanges
      leftid=@iort3.iosystems.co.uk
      leftrsasigkey=[keyid AQPzAZLjs]
      #left security gateway (public network address)
      left=217.33.203.132
      #next hop to reach right
     
     
     
      #subnet behind left (leave out if there is no subnet)
      leftsubnet=128.0.0.0/16
      #right s.g., subnet behind it, plus next hop to reach left
      right=%defaultroute
      #Any address provided authentication works
      rightid=@devil.iosystems.co.uk
      # RSA 2048 bits   devil   Mon Nov  4 17:28:37 2002
      rightrsasigkey=[keyid AQNYylH25]
      auto=add
        #No retry if IP connectivity is gone
        keyingtries=3

 
 
 
-----Original Message-----
From: devil-linux-discuss-admin@lists.sourceforge.net [mailto:devil-linux-discuss-admin@lists.sourceforge.net]On Behalf Of Bjørn Rasmussen
Sent: 28 November 2002 15:56
To: devil-linux-discuss@lists.sourceforge.net
Subject: RE: [Devil-Linux-discuss] ipsec connection problem

I agree, I've also got great help from Sam.

The great strengt of Linux and Open Source is its functionality. This has to complicate things, and is at the same time the downside. That's why administrators and advanced users love Linux, there's allways a sollution to a problem. Windows is easy if it works. If not, you've nightmare.

The ping problem: Firewallrules? Is there a specifick tunnel for that subnet?

Again: You can include a copy of your ipsec.conf files.