Google
  Web www.spinics.net

Exclude service from IPSec, using ipsec-tools

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi All,

I'm trying to setup a VPN Between a Linux Box (CentOS 4) and Check
Point FW-1 (NGX R65) and I actually already done this. However I'm
having a problem with Policy "none" when using ports, for example, I
want to exclude
from VPN the "ssh" service, so my commands to setkey was.

# Excluded services ssh
spdadd 172.20.0.0/16[any] 172.16.0.0/16[22] tcp -P out none ;
spdadd 172.16.0.0/16[22] 172.20.0.0/16[any] tcp -P in none ;
spdadd 172.20.0.0/16[22] 172.16.0.0/16[any] tcp -P out none ;
spdadd 172.16.0.0/16[any] 172.20.0.0/16[22] tcp -P in none ;


spdadd 172.20.14.168 172.16.0.0/16 any -P out ipsec
esp/tunnel/192.168.80.33-192.168.80.129/require ;

spdadd 172.16.0.0/16 172.20.14.168 any -P in ipsec
esp/tunnel/192.168.80.129-192.168.80.33/require ;


spdadd 172.20.14.168 172.17.0.0/16 any -P out ipsec
esp/tunnel/192.168.80.33-192.168.80.129/require ;

spdadd 172.17.0.0/16 172.20.14.168 any -P in ipsec
esp/tunnel/192.168.80.129-192.168.80.33/require ;


Note that at this time I'm just make a VPN to one host on remote
location (172.20.14.168), the problem is when I use the policy to
exclude ssh the machines from 172.16/16 network are unable to connect
to remote host, the racoon say:
2007-09-14 09:48:14: DEBUG: suitable SP found:172.20.14.168/32[0]
172.16.0.0/16[0] proto=any dir=out
2007-09-14 09:48:14: ERROR: policy found, but no IPsec required:
172.20.14.168/32[0] 172.16.0.0/16[0] proto=any dir=out

So I can't understand what is the problem, some mistake on my config?

Thanks in advance,

Klaubert
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux