From owner-freebsd-questions Thu Jan 16 13:17:11 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCD2737B401 for ; Thu, 16 Jan 2003 13:17:09 -0800 (PST) Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C0AE43F1E for ; Thu, 16 Jan 2003 13:17:09 -0800 (PST) (envelope-from dlavigne6@cogeco.ca) Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net [24.226.42.146]) by fep2.cogeco.net (Postfix) with ESMTP id 1AFE811F5; Thu, 16 Jan 2003 16:18:31 -0500 (EST) Date: Thu, 16 Jan 2003 16:20:44 -0500 (EST) From: Dru X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca To: Andrew Alcheev Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPSec tunnel between Windows XP and FreeBSD: racoon can't acts as the initiator In-Reply-To: <2413786872.20030114153805@telenet.ru> Message-ID: <20030116161644.Q11885@dhcp-17-14.kico2.on.cogeco.ca> References: <2413786872.20030114153805@telenet.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 14 Jan 2003, Andrew Alcheev wrote: > Hello. > > I have setup an IPSec tunnel between FreeBSD 4.7-stable (system > 18.11.02)/racoon 20021120a and Windows XP Prof. > FreeBSD acts as gateway, tunneling connections from Windows to world. > IPSec crypts link between unix and win only. > > ipsec.conf: > spdadd 0.0.0.0/0 192.168.99.10/32 any -P out ipsec > esp/tunnel/192.168.99.1-192.168.99.10/require; > spdadd 192.168.99.10/32 0.0.0.0/0 any -P in ipsec > esp/tunnel/192.168.99.10-192.168.99.1/require; > > > While other side (Windows XP) initiates connect to hosts behind the > tunnel, all works fine. > > If connect arrives from other hosts before SA has been established, > then racoon can't initiate Phase 1 > > tcpdump output: > 15:29:13.408122 192.168.99.1.500 > 192.168.99.10.500: isakmp: phase 1 I agg: [|sa] > 15:29:13.409117 192.168.99.10.500 > 192.168.99.1.500: isakmp: phase 2/others R inf: [|n] > > racoon.log: > ... > 2003-01-14 15:29:13: DEBUG: isakmp.c:222:isakmp_handler(): 56 bytes message received from 192.168.99.10[500] > ... > 2003-01-14 15:29:13: DEBUG: isakmp.c:346:isakmp_main(): malformed cookie received or the initiator's cookies collide. > ... > > What is wrong ? Hard to tell without a bit more information. Are you using a pre-shared secret or digital certificates for authentication? Can you send a sanitized copy of your racoon.conf? Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message