From owner-freebsd-hackers  Mon Feb  5 16:35: 0 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27])
	by hub.freebsd.org (Postfix) with ESMTP id 9BC8C37B491
	for <hackers@FreeBSD.ORG>; Mon,  5 Feb 2001 16:34:41 -0800 (PST)
Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99])
	by ns1.unixathome.org (8.11.1/8.11.1) with ESMTP id f160FcE13503;
	Tue, 6 Feb 2001 13:15:38 +1300 (NZDT)
	(envelope-from dan@langille.org)
Message-Id: <200102060015.f160FcE13503@ns1.unixathome.org>
From: "Dan Langille" <dan@langille.org>
Organization: novice in training
To: Volker Stolz <stolz@I2.Informatik.RWTH-Aachen.DE>
Date: Tue, 6 Feb 2001 13:34:32 +1300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: ping over IPSEC works in only one direction
Reply-To: dan@langille.org
Cc: hackers@FreeBSD.ORG
In-reply-to: <20010205173444.A229@agamemnon.informatik.rwth-aachen.de>
References: <200102051239.f15CdGE09532@ns1.unixathome.org>
X-mailer: Pegasus Mail for Win32 (v3.12c)
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 5 Feb 2001, at 17:34, Volker Stolz wrote:

> In local.freebsd-hackers, you wrote:
> >spdadd 192.168.1.1 192.168.1.101 any -P out ipsec esp/transport//use ah/transport//use;
> >spdadd 192.168.1.101 192.168.1.1 any -P out ipsec esp/transport//use ah/transport//use;
> 
> I can see no corresponding "... any -P in" rules. Did you forget them only
> in the posting? If not, this is likely to be a source of confusion.

Thanks.  That was the problem.

I've been able to get most things working.  However, when I involve NAT 
some things break.  I'm not using AH, just ESP.  I can get ESP working 
without NAT and have http, ping, going.  No problems.  But if I try from 
an external box, involving NAT, ping works, but not http.  Not sure why.  
A tcpdump shows the incoming ESP requests, but nothing going back 
out.  I'm positive I have the keys correct as ping works and tcpdump 
shows incoming ping request and outgoing ping replies.

Quite odd.

--
Dan Langille
pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message