From owner-freebsd-questions Wed Jan 29 5:27: 7 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE9E137B401 for ; Wed, 29 Jan 2003 05:27:05 -0800 (PST) Received: from wartch.sapros.com (wartch.sapros.com [66.117.154.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5020143F79 for ; Wed, 29 Jan 2003 05:27:05 -0800 (PST) (envelope-from peterh@wartch.sapros.com) Received: from wartch.sapros.com (localhost [127.0.0.1]) by wartch.sapros.com (8.12.6/8.12.3) with ESMTP id h0TDQsLG007646; Wed, 29 Jan 2003 05:26:54 -0800 (PST) (envelope-from peterh@wartch.sapros.com) Message-Id: <200301291326.h0TDQsLG007646@wartch.sapros.com> To: Steve Bertrand Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD IPSEC tunnel stoped working. Date: Wed, 29 Jan 2003 05:26:54 -0800 From: Peter Haight X-SMRazor: ok Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Looks like the 'spi' are out of sync on the 2 machines. This is after a > quick glance, but I know on my IPSec setup, (with manual keys), the > spi's have to be such: > > Stable in spi == Release out spi > Release in spi == Stable out spi > > Are you using racoon? If not, post your ipsec script. Here you go: local_ip="XX.XX.XX.XX" local_net_ip="10.10.1.1" local_net_prefixlen="24" remote_ip="YY.YY.YY.YY" remote_net_ip="192.168.1.1" remote_net_prefixlen="12" remote_net_netmask="255.255.0.0" ifconfig gif0 create ifconfig gif0 tunnel ${local_ip} ${remote_ip} ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask} setkey -c << EOF flush; spdflush; add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar"; add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar"; spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen} any -P out ipsec esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_net_prefixlen} ${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require; EOF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message