Tonnerre LOMBARD schrieb: > Salut, > > I have a problem with direct connection of two servers using IPsec. The > IKE key exchange always comes up, but then it seems that both the routing > and the encryption go entirely wrong. > > The host exchange their internal addresses (10.16.1.1 and 10.1.1.1) as > ID tokens for phase 2. However, if I try to ping 10.16.1.1 from > 10.1.1.1, the packets go out the external interface - unencrypted.
You realy do a "ping -I 10.1.1.1 10.16.1.1" or only a "ping 10.16.1.1"? You must have the 10.1.1.1 as source ip. A normal ping on the gateway ueses the external ip as source! > If, however, I replace the ID tokens with the corresponding IP subnets > (10.16.0.0/16 and 10.1.0.0/16), I get an even more weird effect: > > * 10.16.0.0/16 can communicate with 10.1.0.0/16 just fine > * 10.1.0.0/16 can communicate with 10.16.0.0/16 just as well > * 10.16.1.1 can not reach 10.1.0.0/16, however, people in 10.1.0.0/16 can > connect to 10.16.1.1 just fine > * 10.1.1.1 can not reach 10.16.0.0/16, however, people in 10.16.0.0/16 > can connect to 10.1.1.1 just fine Sound like the same problem :) Ralph
