From owner-freebsd-questions@FreeBSD.ORG Mon Jan 24 21:54:30 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71B7416A4CE for ; Mon, 24 Jan 2005 21:54:30 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3119C43D1F for ; Mon, 24 Jan 2005 21:54:30 +0000 (GMT) (envelope-from bsdaemon@comcast.net) Received: from fw.home (pcp05404374pcs.norstn01.pa.comcast.net[68.80.144.252]) by comcast.net (rwcrmhc12) with SMTP id <2005012421542901400hlm8se>; Mon, 24 Jan 2005 21:54:29 +0000 Received: (qmail 43909 invoked from network); 24 Jan 2005 21:54:28 -0000 Received: from unknown (HELO ?192.168.1.251?) (192.168.1.251) by fw.home with SMTP; 24 Jan 2005 21:54:28 -0000 Message-ID: <41F56E93.8050700@comcast.net> Date: Mon, 24 Jan 2005 16:54:27 -0500 From: Kris Maglione User-Agent: Mozilla Thunderbird 1.0 (X11/20041213) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPsec issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 21:54:30 -0000 I secure my wireless network with IPsec. The rules are generated with a perl script (included below) with a rule for each ip in the range 192.168.1.3-192.168.1.254 (.2 is my AP). The key exchange is handled by racoon and works without issue. I have "allow ip from any to any" as my first ipfw rule when on this network. My firewall allows DHCP and ISAKMP traffic unencrypted and allows only esp traffic otherwise. My problem is that certain websites tend not to work. I can look them up and make a connection, but I get no incoming packets, although on occasion they do work. Google is one such site. Also, it seems that images don't always load for any site. Neither firewall is blocking the traffic. When I make an OpenVPN link over the connection (it's easier than disabling IPsec, since it's already setup for when I'm away from home), the same websites work fine. Any ideas? It just struck me that maybe parallel connections to the same address are at root of the issue, but I have no real evidence. What more information would be useful? Thanks. Perl script that generates /etc/ipsec.conf: #!/usr/bin/perl use strict; my $fw = "192.168.1.1"; print "flush;","\n", "spdflush;","\n"; foreach (3..254) { my $ip = "192.168.1.$_"; print "\n"; print "spdadd $ip/32 0.0.0.0/0 any -P out ipsec esp/tunnel/$ip-$fw/require;\n", "spdadd 0.0.0.0/0 $ip/32 any -P in ipsec esp/tunnel/$fw-$ip/require;\n"; }