なかむらです。 えっと、iptable の ディフォルトポリシーは DENY だよね。 だとすると、ipsec0 を 開けないと通信できないと思う。 iptables -A INPUT -i ipsec0 -j ACCEPT iptables -A OUTPUT -o ipsec0 -j ACCEPT いじょ On Tue, 11 Nov 2003 17:34:43 +0900 "MiwaYoneda" <y_or_iy_or_i@xxxxxxxxxxx> wrote: > 宜しくお願い致します。MiwaYonedaと申します。 > > > Win2k(192.168.2.102) > | > eth0(192.168.2.2) > RedHat9 > ppp0 > | > ADSLモデム > |(↑事務所側) > | > WAN > | > |(↓自宅側) > ADSLモデム > | > ppp0 > RedHat9 > eth0(192.168.0.1) > | > Win2k(192.168.0.89) > > として"事務所⇔自宅"でipsecでのトンネリングを実現したく思っています。 > # uname -a > Linux hoge.co.jp 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 > GNU/Linux > としてカーネルのバージョンを確認してから > ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/2.4.20-8/ > から > freeswan-module-2.01_2.4.20_8-0.i386.rpm > freeswan-userland-2.01_2.4.20_8-0.i386.rpm > をダウンロード・インストールしました。 > > jitaku.ddyn.netのppp0のアドレス…hhh.hhh.hhh.hhh > jitaku.ddyn.netのP-t-Pアドレス…xxx.xxx.xxx.xxx > jimusho.ddyn.netのppp0のアドレス…ooo.ooo.ooo.ooo > jimusho.ddyn.netのP-t-Pアドレス…yyy.yyy.yyy.yyy > で表す事にします。 > > [root@xxxxxxxxxxxxxxx]# grep -v ^# /etc/ipsec.conf > version 2.0 # conforms to second version of ipsec.conf specification > config setup > interfaces="ipsec0=ppp0" > klipsdebug=none > plutodebug=none > conn %default > type=tunnel > keyingtries=10 > authby=rsasig > keylife=1h > pfs=yes > conn jitaku-to-jimusho > left=hhh.hhh.hhh.hhh > leftsubnet=192.168.0.0/24 > leftid=@xxxxxxxxxxxxxxx > leftrsasigkey=0sAQP…pA9VU9 > leftnexthop=xxx.xxx.xxx.xxx > right=ooo.ooo.ooo.ooo > rightsubnet=192.168.2.0/24 > rightid=@xxxxxxxxxxxxxxxx > rightrsasigkey=0sAQN7…6IXIn > rightnexthop=yyy.yyy.yyy.yyy > auto=add > conn block > auto=ignore > conn private > auto=ignore > conn private-or-clear > auto=ignore > conn clear-or-private > auto=ignore > conn clear > auto=ignore > conn packetdefault > auto=ignore > > [root@xxxxxxxxxxxxxxx]# grep -v ^# /etc/ipsec.secrets > hhh.hhh.hhh.hhh ooo.ooo.ooo.ooo : PSK "qom3TSCN" > : RSA { > # RSA 2192 bits jitaku.ddyn.net Mon Sep 8 16:30:37 2003 > # for signatures only, UNSAFE FOR ENCRYPTION > #pubkey=0sAQ…A9VU9 > : > (以下省略) > : > > [root@xxxxxxxxxxxxxxxx]# grep -v ^# /etc/ipsec.conf > version 2.0 # conforms to second version of ipsec.conf specification > config setup > interfaces="ipsec0=ppp0" > klipsdebug=none > plutodebug=none > conn %default > type=tunnel > keyingtries=0 > authby=rsasig > keylife=1h > pfs=yes > conn jitaku-to-jimusho > left=ooo.ooo.ooo.ooo > leftsubnet=192.168.2.0/24 > leftid=@xxxxxxxxxxxxxxxx > leftrsasigkey=0sAQN…6IXIn > leftnexthop=yyy.yyy.yyy.yyy > right=hhh.hhh.hhh.hhh > rightsubnet=192.168.0.0/24 > rightid=@xxxxxxxxxxxxxxx > rightrsasigkey=0sAQP…9VU9 > rightnexthop=xxx.xxx.xxx.xxx > auto=add > conn block > auto=ignore > conn private > auto=ignore > conn private-or-clear > auto=ignore > conn clear-or-private > auto=ignore > conn clear > auto=ignore > conn packetdefault > auto=ignore > > [root@xxxxxxxxxxxxxxxx]# grep -v ^# /etc/ipsec.secrets > ooo.ooo.ooo.ooo hhh.hhh.hhh.hhh : PSK "qom3TSCN" > : RSA { > # RSA 2192 bits jimusho.ddyn.net Thu Sep 4 21:06:29 2003 > # for signatures only, UNSAFE FOR ENCRYPTION > #pubkey=0sAQN…IXIn > : > (以下省略) > > : > > と夫々記述しています。 > > 因みに > nexthopをコメントアウトしてみましたら、 > [root@xxxxxxxxxxxxxxx]# ipsec auto --up jitaku-to-jimusho > 104 "jitaku-to-jimusho" #8: STATE_MAIN_I1: initiate > 106 "jitaku-to-jimusho" #8: STATE_MAIN_I2: sent MI2, expecting MR2 > 108 "jitaku-to-jimusho" #8: STATE_MAIN_I3: sent MI3, expecting MR3 > 004 "jitaku-to-jimusho" #8: STATE_MAIN_I4: ISAKMP SA established > 112 "jitaku-to-jimusho" #9: STATE_QUICK_I1: initiate > 003 "jitaku-to-jimusho" #9: route-client command exited with status 7 > 032 "jitaku-to-jimusho" #9: STATE_QUICK_I1: internal error > 010 "jitaku-to-jimusho" #9: STATE_QUICK_I1: retransmission; will wait 20s > for > response > 003 "jitaku-to-jimusho" #9: route-client command exited with status 7 > 032 "jitaku-to-jimusho" #9: STATE_QUICK_I1: internal error > 003 "jitaku-to-jimusho" #9: route-client command exited with status 7 > 032 "jitaku-to-jimusho" #9: STATE_QUICK_I1: internal error > 010 "jitaku-to-jimusho" #9: STATE_QUICK_I1: retransmission; will wait 40s > for > response > 031 "jitaku-to-jimusho" #9: max number of retransmissions (2) reached > STATE_QUICK_I1. > No acceptable response to our first Quick Mode message: perhaps peer likes > no proposal > 000 "jitaku-to-jimusho" #9: starting keying attempt 2 of at most 10, but > releasing > whack > > とエラーになり、 > nexthopの右辺値として%defaultroute > を指定すると > ipsec__plutorun: ipsec_auto: fatal error in "jitaku-to-jimusho": > %defaultroute > requested but not known > というエラーになってしまいますので > 夫々、nexthopにはP-t-Pアドレスを上記のように指定しました。(そしたらエラーは > 無くなりました) > > > [root@xxxxxxxxxxxxxxx]# ifconfig ppp0 > ppp0 Link encap:Point-to-Point Protocol > inet addr:hhh.hhh.hhh.hhh P-t-P:xxx.xxx.xxx.xxx > Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1 > RX packets:410856 errors:0 dropped:0 overruns:0 frame:0 > TX packets:650284 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:3 > RX bytes:42406115 (40.4 Mb) TX bytes:828512667 (790.1 Mb) > > [root@xxxxxxxxxxxxxxxx]# ifconfig ppp0 > ppp0 Link encap:Point-to-Point Protocol > inet addr:ooo.ooo.ooo.ooo P-t-P:yyy.yyy.yyy.yyy > Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1 > RX packets:2044582 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1209295 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:3 > RX bytes:2814343338 (2683.9 Mb) TX bytes:102757569 (97.9 Mb) > > > ここで、 > > [root@xxxxxxxxxxxxxxxx]# service ipsec start > ipsec_setup: Starting FreeS/WAN IPsec 2.01... > ipsec_setup: Using /lib/modules/2.4.20-8/kernel/net/ipsec/ipsec.o > > とすると > > [root@xxxxxxxxxxxxxxxx]# ifconfig ipsec0 > ipsec0 Link encap:Point-to-Point Protocol > inet addr:ooo.ooo.ooo.ooo Mask:255.255.255.255 > UP RUNNING NOARP MTU:16260 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:10 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > [root@xxxxxxxxxxxxxxxx]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > nagasaki-a01.fl * 255.255.255.255 UH 0 0 0 ppp0 > nagasaki-a01.fl * 255.255.255.255 UH 0 0 0 > ipsec0 > 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 > 192.168.0.0 nagasaki-a01.fl 255.255.255.0 UG 0 0 0 > ipsec0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default nagasaki-a01.fl 0.0.0.0 UG 0 0 0 ppp0 > > [root@xxxxxxxxxxxxxxxx]# tail -f /var/log/secure > Nov 11 15:32:00 jimusho ipsec__plutorun: Starting Pluto subsystem... > Nov 11 15:32:00 jimusho pluto[15866]: Starting Pluto (FreeS/WAN Version 2.01 > PLUTO_USES_KEYRR) > Nov 11 15:32:01 jimusho pluto[15866]: added connection description > "jitaku-to-jimusho" > Nov 11 15:32:01 jimusho pluto[15866]: listening for IKE messages > Nov 11 15:32:02 jimusho pluto[15866]: adding interface ipsec0/ppp0 > ooo.ooo.ooo.ooo > Nov 11 15:32:02 jimusho pluto[15866]: loading secrets from > "/etc/ipsec.secrets" > Nov 11 15:32:11 jimusho pluto[15866]: "jitaku-to-jimusho" #1: responding to > Main Mode > Nov 11 15:32:12 jimusho pluto[15866]: "jitaku-to-jimusho" #1: sent MR3, > ISAKMP SA established > Nov 11 15:32:12 jimusho pluto[15866]: "jitaku-to-jimusho" #2: responding to > Quick Mode > Nov 11 15:32:12 jimusho pluto[15866]: "jitaku-to-jimusho" #2: IPsec SA > established > > となります。そして、 > > > [root@xxxxxxxxxxxxxxx]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > nagasaki.ntt-po * 255.255.255.255 UH 0 0 0 ppp0 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default nagasaki.ntt-po 0.0.0.0 UG 0 0 0 ppp0 > > [root@xxxxxxxxxxxxxxx]# service ipsec start > ipsec_setup: Starting FreeS/WAN IPsec 2.01... > ipsec_setup: Using /lib/modules/2.4.20-8/kernel/net/ipsec/ipsec.o > > とすると、 > > [root@xxxxxxxxxxxxxxx]# ifconfig ipsec0 > ipsec0 Link encap:Point-to-Point Protocol > inet addr:hhh.hhh.hhh.hhh Mask:255.255.255.255 > UP RUNNING NOARP MTU:16260 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:10 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > [root@xxxxxxxxxxxxxxx]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > nagasaki.ntt-po * 255.255.255.255 UH 0 0 0 ppp0 > nagasaki.ntt-po * 255.255.255.255 UH 0 0 0 > ipsec0 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default nagasaki.ntt-po 0.0.0.0 UG 0 0 0 ppp0 > > > [root@xxxxxxxxxxxxxxx]# tail -f /var/log/secure > Nov 11 15:35:24 jitaku ipsec__plutorun: Starting Pluto subsystem... > Nov 11 15:35:26 jitaku pluto[23468]: Starting Pluto (FreeS/WAN Version 2.01 > PLUTO_USES_KEYRR) > Nov 11 15:35:27 jitaku pluto[23468]: added connection description > "jitaku-to-jimusho" > Nov 11 15:35:27 jitaku pluto[23468]: listening for IKE messages > Nov 11 15:35:27 jitaku pluto[23468]: adding interface ipsec0/ppp0 > hhh.hhh.hhh.hhh > Nov 11 15:35:27 jitaku pluto[23468]: loading secrets from > "/etc/ipsec.secrets" > > となります。 > そして、いよいよ、 > > [root@xxxxxxxxxxxxxxx]# ipsec auto --up jitaku-to-jimusho > 104 "jitaku-to-jimusho" #1: STATE_MAIN_I1: initiate > 106 "jitaku-to-jimusho" #1: STATE_MAIN_I2: sent MI2, expecting MR2 > 108 "jitaku-to-jimusho" #1: STATE_MAIN_I3: sent MI3, expecting MR3 > 004 "jitaku-to-jimusho" #1: STATE_MAIN_I4: ISAKMP SA established > 112 "jitaku-to-jimusho" #2: STATE_QUICK_I1: initiate > 004 "jitaku-to-jimusho" #2: STATE_QUICK_I2: sent QI2, IPsec SA established > > とすると、 > > [root@xxxxxxxxxxxxxxx]# tail -f /var/log/secure > Nov 11 15:37:38 jitaku pluto[23468]: "jitaku-to-jimusho" #1: initiating Main > Mode > Nov 11 15:37:39 jitaku pluto[23468]: "jitaku-to-jimusho" #1: ISAKMP SA > established > Nov 11 15:37:39 jitaku pluto[23468]: "jitaku-to-jimusho" #2: initiating > Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP > Nov 11 15:37:40 jitaku pluto[23468]: "jitaku-to-jimusho" #2: sent QI2, IPsec > SA established > > [root@xxxxxxxxxxxxxxx]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > nagasaki.ntt-po * 255.255.255.255 UH 0 0 0 ppp0 > nagasaki.ntt-po * 255.255.255.255 UH 0 0 0 > ipsec0 > 192.168.2.0 nagasaki.ntt-po 255.255.255.0 UG 0 0 0 > ipsec0 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 > 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default nagasaki.ntt-po 0.0.0.0 UG 0 0 0 ppp0 > > [root@xxxxxxxxxxxxxxx]# ipsec look > jitaku.ddyn.net Tue Nov 11 15:40:20 JST 2003 > 192.168.0.0/24 -> 192.168.2.0/24 => tun0x1002@xxxxxxxxxxxxxxx > esp0xf16bd699@xxxxxxxxxxxxxxx (0) > ipsec0->ppp0 mtu=16260(1454)->1454 > esp0xb6657717@xxxxxxxxxxxxxxx ESP_3DES_HMAC_MD5: dir=in src=ooo.ooo.ooo.ooo > iv_bits=64bits iv=0x2eb05410eea96122 ooowin=64 alen=128 aklen=128 eklen=192 > life(c,s,h)=addtime(160,0,0) refcount=4 ref=7 > esp0xf16bd699@xxxxxxxxxxxxxxx ESP_3DES_HMAC_MD5: dir=out src=hhh.hhh.hhh.hhh > iv_bits=64bits iv=0x626ea0fc11a8a7d2 ooowin=64 alen=128 aklen=128 eklen=192 > life(c,s,h)=addtime(160,0,0) refcount=4 ref=12 > tun0x1001@xxxxxxxxxxxxxxx IPIP: dir=in src=ooo.ooo.ooo.ooo > policy=192.168.2.0/24->192.168.0.0/24 flags=0x8<> > life(c,s,h)=addtime(160,0,0) refcount=4 ref=8 > tun0x1002@xxxxxxxxxxxxxxx IPIP: dir=out src=hhh.hhh.hhh.hhh > life(c,s,h)=addtime(160,0,0) refcount=4 ref=13 > Destination Gateway Genmask Flags MSS Window irtt > Iface > 0.0.0.0 xxx.xxx.xxx.xxx 0.0.0.0 UG 0 0 0 > ppp0 > 192.168.2.0 xxx.xxx.xxx.xxx 255.255.255.0 UG 0 0 0 > ipsec0 > xxx.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 > ipsec0 > xxx.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 > ppp0 > > [root@xxxxxxxxxxxxxxx]# ipsec auto --status > 000 interface ipsec0/ppp0 hhh.hhh.hhh.hhh > 000 > 000 debug none > 000 > 000 "jitaku-to-jimusho": > 192.168.0.0/24===hhh.hhh.hhh.hhh[@jitaku.ddyn.net]---xxx.xxx.xxx.xxx...yyy.y > yy.yyy.yyy---ooo.ooo.ooo.ooo[@jimusho.ddyn.net]===192.168.2.0/24 > 000 "jitaku-to-jimusho": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: > 540s; rekey_fuzz: 100%; keyingtries: 10 > 000 "jitaku-to-jimusho": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; interface: > ppp0; erouted > 000 "jitaku-to-jimusho": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute > owner: #2 > 000 > 000 #2: "jitaku-to-jimusho" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_REPLACE in 2417s; newest IPSEC; eroute owner > 000 #2: "jitaku-to-jimusho" esp.f16bd699@xxxxxxxxxxxxxxx > esp.b6657717@xxxxxxxxxxxxxxx tun.1002@xxxxxxxxxxxxxxx > tun.1001@xxxxxxxxxxxxxxx > 000 #1: "jitaku-to-jimusho" STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in 2538s; newest ISAKMP > 000 > > [root@xxxxxxxxxxxxxxxx]# tail -f /var/log/secure > Nov 11 15:33:52 jimusho pluto[15866]: "jitaku-to-jimusho" #1: received > Delete SA payload: deleting IPSEC State #2 > Nov 11 15:33:52 jimusho pluto[15866]: "jitaku-to-jimusho" #1: received and > ignored informational message > Nov 11 15:33:52 jimusho pluto[15866]: "jitaku-to-jimusho" #1: received > Delete SA payload: deleting ISAKMP State #1 > Nov 11 15:33:52 jimusho pluto[15866]: packet from hhh.hhh.hhh.hhh:500: > received and ignored informational message > Nov 11 15:37:39 jimusho pluto[15866]: "jitaku-to-jimusho" #3: responding to > Main Mode > Nov 11 15:37:40 jimusho pluto[15866]: "jitaku-to-jimusho" #3: sent MR3, > ISAKMP SA established > Nov 11 15:37:40 jimusho pluto[15866]: "jitaku-to-jimusho" #4: responding to > Quick Mode > Nov 11 15:37:41 jimusho pluto[15866]: "jitaku-to-jimusho" #4: IPsec SA > established > > [root@xxxxxxxxxxxxxxxx]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > nagasaki-a01.fl * 255.255.255.255 UH 0 0 0 ppp0 > nagasaki-a01.fl * 255.255.255.255 UH 0 0 0 > ipsec0 > 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 > 192.168.0.0 nagasaki-a01.fl 255.255.255.0 UG 0 0 0 > ipsec0 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default nagasaki-a01.fl 0.0.0.0 UG 0 0 0 ppp0 > > [root@xxxxxxxxxxxxxxxx]# ipsec look > jimusho.ddyn.net Tue Nov 11 16:49:57 JST 2003 > 192.168.2.0/24 -> 192.168.0.0/24 => tun0x1006@xxxxxxxxxxxxxxx > esp0xb66577 > 18@xxxxxxxxxxxxxxx (0) > ipsec0->ppp0 mtu=16260(1454)->1454 > esp0xb6657718@xxxxxxxxxxxxxxx ESP_3DES_HMAC_MD5: dir=out src=ooo.ooo.ooo.ooo > iv_bi > ts=64bits iv=0x9c0c98407e273b66 ooowin=64 alen=128 aklen=128 eklen=192 > life(c,s, > h)=addtime(1731,0,0) refcount=4 ref=35 > esp0xf16bd69a@xxxxxxxxxxxxxxx ESP_3DES_HMAC_MD5: dir=in src=hhh.hhh.hhh.hhh > iv_bi > ts=64bits iv=0x16abe916dc0a8cd5 ooowin=64 alen=128 aklen=128 eklen=192 > life(c,s, > h)=addtime(1732,0,0) refcount=4 ref=30 > tun0x1005@xxxxxxxxxxxxxxx IPIP: dir=in src=hhh.hhh.hhh.hhh > policy=192.168.0.0/24- > >192.168.2.0/24 flags=0x8<> life(c,s,h)=addtime(1732,0,0) refcount=4 ref=31 > tun0x1006@xxxxxxxxxxxxxxx IPIP: dir=out src=ooo.ooo.ooo.ooo > life(c,s,h)=addtime(17 > 31,0,0) refcount=4 ref=36 > Destination Gateway Genmask Flags MSS Window irtt > Iface > 0.0.0.0 yyy.yyy.yyy.yyy 0.0.0.0 UG 0 0 0 > ppp0 > 192.168.0.0 yyy.yyy.yyy.yyy 255.255.255.0 UG 0 0 0 > ipsec0 > yyy.yyy.yyy.yyy 0.0.0.0 255.255.255.255 UH 0 0 0 > ipsec0 > yyy.yyy.yyy.yyy 0.0.0.0 255.255.255.255 UH 0 0 0 > ppp0 > > [root@xxxxxxxxxxxxxxxx]# ipsec auto --status > 000 interface ipsec0/ppp0 ooo.ooo.ooo.ooo > 000 > 000 debug none > 000 > 000 "jitaku-to-jimusho": > 192.168.2.0/24===ooo.ooo.ooo.ooo[@jimusho.ddyn.net]---yyy.yyy.yyy.yyy...xxx. > xxx.xxx.xxx---hhh.hhh.hhh.hhh[@jitaku.ddyn.net]===192.168.0.0/24 > 000 "jitaku-to-jimusho": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: > 540s; rekey_ > fuzz: 100%; keyingtries: 0 > 000 "jitaku-to-jimusho": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: > ppp0; erouted > 000 "jitaku-to-jimusho": newest ISAKMP SA: #6; newest IPsec SA: #5; eroute > owner: #5 > 000 > 000 #5: "jitaku-to-jimusho" STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 15 > 73s; newest IPSEC; eroute owner > 000 #5: "jitaku-to-jimusho" esp.b6657718@xxxxxxxxxxxxxxx > esp.f16bd69a@xxxxxxxxxxxxxxx tun.1 > 006@xxxxxxxxxxxxxxx tun.1005@xxxxxxxxxxxxxxx > 000 #6: "jitaku-to-jimusho" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); > EVENT_SA_REP > LACE in 1685s; newest ISAKMP > 000 > > となりました。 > また、双方のiptablesは下記のようにしています。 > 尚、双方のWin2kにはファイアフォールは入れていません。 > > # cat /etc/myScript/ipsec.sh > /sbin/iptables -A INPUT -i ppp0 -p tcp -m state --state > NEW,ESTABLISHED --dport 50 -j ACCEPT > /sbin/iptables -A OUTPUT -o ppp0 -p tcp -m state --state ESTABLISHED --sport > 50 -j ACCEPT > /sbin/iptables -A OUTPUT -o ppp0 -p tcp -m state --state > NEW,ESTABLISHED --dport 50 -j ACCEPT > /sbin/iptables -A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED --sport > 50 -j ACCEPT > /sbin/iptables -A INPUT -i ppp0 -p udp --dport 500 -j ACCEPT > /sbin/iptables -A OUTPUT -o ppp0 -p udp --sport 500 -j ACCEPT > /sbin/iptables -A OUTPUT -o ppp0 -p udp --dport 500 -j ACCEPT > /sbin/iptables -A INPUT -i ppp0 -p udp --sport 500 -j ACCEPT > /sbin/iptables -A INPUT -i ppp0 -p udp --dport 51 -j ACCEPT > /sbin/iptables -A OUTPUT -o ppp0 -p udp --sport 51 -j ACCEPT > /sbin/iptables -A OUTPUT -o ppp0 -p udp --dport 51 -j ACCEPT > /sbin/iptables -A INPUT -i ppp0 -p udp --sport 51 -j ACCEPT > > でもこの状況下で > > [user01@xxxxxxxxxxxx]$ ping 192.168.2.102 > [user01@xxxxxxxxxxxxx]$ ping 192.168.0.89 > > としても、timeoutになってしまって、pingが届きません。 > > [root@xxxxxxxxxxxxxxxx]# tcpdump -i ppp0 port isakmp > [root@xxxxxxxxxxxxxxx]# tcpdump -i ppp0 port isakmp > > は反応がありません。 > どうすればpingが届くのでしょうか? > > __________________________________________________ > Do You Yahoo!? > Yahoo! BB is Broadband by Yahoo! > http://bb.yahoo.co.jp/ > > --