hello,
after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration!
I also generate different key for AH and ESP as i have shown below.
what is my problem and what should i do to have ping and test the configuration?
code:
Moderator's Comments:
code tags for code, please.
Last edited by Corona688; 03-26-2012 at 12:34 PM..
Hello! I have some trouble trying to configure a VPN with two gateways. One of them uses IPSec with a single key, 256bits length, specified in /etc/ipsec.secrets. As FreeSwan manual page says, if i put esp=3des-md5-96, will be used a "64bit IV key (internally generated), a 192bit 3des ekey and a... (3 Replies)
Hi,
does anyone have an experience how many IPSec tunnels Solaris 10 is able manage. A rough estimation would be great.
I know it's hardly dependent on the hardware used, so if anyone says on a 490 with 2 CPUs and 4GB RAM a maximum of 1000 IPSec tunnels is possible, that would be great.
I... (1 Reply)
Hi,
I am facing problem while setting up ISAKMP between two hosts.
I can see only the Initiator messages but no responder messages in tcpdump. Does anyone know the cause of this behaviour?
FYI, here is the extracted information from tcpdump :
14:47:08.699113 IP 10.118.231.143.isakmp >... (0 Replies)
Hello,
I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue.
... (0 Replies)
Hi,
I am trying to set a policy between 2 machines for all the ports except for 22 i.e. for tcp - basically I want to bypass ssh. But my policy doesn't seem to work. Here are the entries
spdadd 1.2.3.4 4.3.2.1 any -P out prio 100 ipsec esp/transport//require ah/transport//require;
spdadd... (0 Replies)
Hi, this is my first post...:p
Hello Admin :)
Can I have an ask for something with my configuration ?
I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely.
I have a simulation with a local design topology with two PC's (FreeBSD ... (0 Replies)
Hi Guys,
Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port?
I'm sure it must be possible but I am unable to find the syntax.
Thanks
Chris (4 Replies)
Hi all,
I have installed Openswan and configured IPSec and works perfect, but for some unknown reasons it stop working. I see that the tunnels are up and established. The route to the destination are added. Everything by the book seems to be ok. But somehow when i start to ping the other side (... (4 Replies)
I want a lan encrypted with ipsec.
This is my /etc/inet/ike/config
p1_xform
{ auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes }
p2_pfs 2
this is my /etc/inet/secret/ike.preshared
# ike.preshared on hostA, 192.168.0.21
#...
{ localidtype IP
localid... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies
LEARN ABOUT SUSE
aggregate
AGGREGATE(1) General Commands Manual AGGREGATE(1)NAME
aggregate - optimise a list of route prefixes to help make nice short filters
SYNOPSIS
aggregate [-m max-length] [-o max-opt-length] [-p default-length] [-q] [-t] [-v]
DESCRIPTION
Takes a list of prefixes in conventional format on stdin, and performs two optimisations to attempt to reduce the length of the prefix
list.
The first optimisation is to remove any supplied prefixes which are superfluous because they are already included in another supplied pre-
fix. For example, 203.97.2.0/24 would be removed if 203.97.0.0/17 was also supplied.
The second optimisation identifies adjacent prefixes that can be combined under a single, shorter-length prefix. For example, 203.97.2.0/24
and 203.97.3.0/24 can be combined into the single prefix 203.97.2.0/23.
OPTIONS -m max-length
Sets the maximum prefix length for entries read from stdin max_length bits. The default is 32. Prefixes with longer lengths will be
discarded prior to processing.
-o max-opt-length
Sets the maximum prefix length for optimisation to max-opt-length bits. The default is 32. Prefixes with longer lengths will not be
subject to optimisation.
-p default-length
Sets the default prefix length. There is no default; without this option a prefix without a mask length is treated as invalid. Use
-p 32 -m 32 -o 32 to aggregate a list of host routes specified as bare addresses, for example.
-q Sets quiet mode -- instructs aggregate never to generate warning messages or other output on stderr.
-t Silently truncate prefixes that seem to have an inconsistent prefix: e.g. an input prefix 203.97.2.226/24 would be truncated to
203.97.2.0/24. Without this option an input prefix 203.97.2.226/24 would not be accepted, and a warning about the inconsistent mask
would be generated.
-v Sets verbose mode. This changes the output format to display the source line number that the prefix was obtained from, together with
a preceding "-" to indicate a route that can be suppressed, or a "+" to indicate a shorter-prefix aggregate that was added by aggre-
gate as an adjacency optimisation. Note that verbose output continues even if -q is selected.
DIAGNOSTICS
Aggregate exits 0 on success, and >0 if an error occurs.
EXAMPLES
The following list of prefixes:
193.58.204.0/22
193.58.208.0/22
193.193.160.0/22
193.193.168.0/22
193.243.164.0/22
194.126.128.0/22
194.126.132.0/22
194.126.134.0/23
194.151.128.0/19
195.42.240.0/21
195.240.0.0/16
195.241.0.0/16
is optimised as followed by aggregate (output shown using the -v flag):
aggregate: maximum prefix length permitted will be 24
[ 0] + 193.58.204.0/21
[ 1] - 193.58.204.0/22
[ 2] - 193.58.208.0/22
[ 3] 193.193.160.0/22
[ 4] 193.193.168.0/22
[ 5] 193.243.164.0/22
[ 0] + 194.126.128.0/21
[ 6] - 194.126.128.0/22
[ 7] - 194.126.132.0/22
[ 8] - 194.126.134.0/23
[ 9] 194.151.128.0/19
[ 10] 195.42.240.0/21
[ 0] + 195.240.0.0/15
[ 11] - 195.240.0.0/16
[ 12] - 195.241.0.0/16
Note that 193.58.204.0/22 and 193.58.208.0/22 were combined under the single prefix 193.58.204.0/21, and 194.126.134.0/23 was suppressed
because it was included in 194.126.132.0/22. The number in square brackets at the beginning of each line indicates the original line num-
ber, or zero for new prefixes that were introduced by aggregate.
The output without the -v flag is as follows:
193.58.204.0/21
193.193.160.0/22
193.193.168.0/22
193.243.164.0/22
194.126.128.0/21
194.151.128.0/19
195.42.240.0/21
195.240.0.0/15
SEE ALSO aggregate-ios(1)HISTORY
Aggregate was written by Joe Abley <jabley@mfnx.net>, and has been reasonably well tested. It is suitable for reducing customer prefix fil-
ters for production use without extensive hand-proving of results.
Autoconf bits were donated by Michael Shields <michael.shields@mfn.com>. The -t option was suggested by Robin Johnson <rob-
bat2@fermi.orbis-terrarum.net>, and the treatment of leading zeros on octet parsing was changed following comments from Arnold Nipper
<arnold@nipper.de>.
An early version of aggregate would attempt to combine adjacent prefixes regardless of whether the first prefix lay on an appropriate bit
boundary or not (pointed out with great restraint by Robert Noland <rnoland@2hip.net>).
BUGS
Common unix parsing of IPv4 addresses understands the representation of individual octets in octal or hexadecimal, following a "0" or "0x"
prefix, respectively. That convention has been deliberately disabled here, since resources such as the IRR do not follow the convention,
and confusion can result.
For extremely sensitive applications, judicious use of the -v option together with a pencil and paper is probably advisable.
Joe Abley 2001 November 2 AGGREGATE(1)