From owner-freebsd-net Sun Aug 19 9: 9: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns.okbmei.msk.su (ns.okbmei.msk.su [194.190.170.19]) by hub.freebsd.org (Postfix) with ESMTP id E843237B408 for ; Sun, 19 Aug 2001 09:09:04 -0700 (PDT) (envelope-from burba@okbmei.msk.su) Received: from okbmei.msk.su (burba.ac.orbita.ru [193.192.144.124]) by ns.okbmei.msk.su (8.11.4/8.11.4) with ESMTP id f7JG8da16144; Sun, 19 Aug 2001 20:08:39 +0400 (MSD) Message-ID: <3B7FE482.FA1F2E8D@okbmei.msk.su> Date: Sun, 19 Aug 2001 20:08:34 +0400 From: "Alex S. Burba" X-Mailer: Mozilla 4.74 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Travis Leuthauser Cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN tunnel question References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What do you mean by "what ping/traceroute keys"? As I can see your SPD says that packets ONLY from 172.16.250.0/24 TO 172.16.69.0/24 should be tunneled and vice versa. But the command 'ping 172.16.250.1' equals to 'ping -S 24.181.119.107 172.16.250.1' and your polices do not permit such packets from 24.181.119.107 to 172.16.250.1 to be tunneled. So you should use command 'ping -S 172.16.69.1 172.16.250.1'. Keep in mind that IPSec just simply DROPS packets which are not permited by the policies or by the SAD. So you can see in tcpdump that something goes over the tunnel, but it can be only dropped packets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message