From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 21:22:43 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 265D916A4CE for ; Tue, 20 Jan 2004 21:22:43 -0800 (PST) Received: from mx1.au.itouchnet.net (nat2.au.itouchnet.net [144.135.23.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0804A43D2D for ; Tue, 20 Jan 2004 21:22:40 -0800 (PST) (envelope-from andrewjt@applecomm.net) Received: from nobody by mx1.au.itouchnet.net with scanned_ok (Exim 3.36 #1) id 1AjArj-0004jl-00 for freebsd-questions@freebsd.org; Wed, 21 Jan 2004 16:25:23 +1100 Received: from [192.168.13.202] (helo=[192.168.13.202]) by mx1.au.itouchnet.net with esmtp (Exim 3.36 #1) id 1AjArj-0004jX-00; Wed, 21 Jan 2004 16:25:23 +1100 From: Andrew Thomson To: Kris Kennaway In-Reply-To: <1074661486.2786.10.camel@itouch-1011.prv.au.itouchnet.net> References: <1074554991.701.57.camel@itouch-1011.prv.au.itouchnet.net> <20040121033854.GA29338@xor.obsecurity.org> <1074661486.2786.10.camel@itouch-1011.prv.au.itouchnet.net> Content-Type: text/plain Message-Id: <1074662556.2786.14.camel@itouch-1011.prv.au.itouchnet.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 21 Jan 2004 16:22:36 +1100 Content-Transfer-Encoding: 7bit X-Checked: Scanned for any viruses and unauthorized attachments at mx1.au.itouchnet.net X-iScan-ID: 18209-1074662723-80198@mx1.au.itouchnet.net version $Name: REL_2_0_2 $ cc: freebsd-questions@freebsd.org Subject: Re: ipsec changes in 5.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 05:22:43 -0000 At the same time, I do see what I'm asking is a bit of a chicken and an egg scenario.. spdadd 192.168.13.202/32 0.0.0.0/0 any -P out ipsec I'm asking for encryption from my laptop to anywhere.. however I'm also asking it to establish encryption with another host which technically it needs to talk to unencrypted. This must be where things are getting hung up. ajt. On Wed, 2004-01-21 at 16:04, Andrew Thomson wrote: > Can't quite access my laptop from work so I've replicated the scenario > here at work on my 5.2 desktop. > > My host: 192.168.13.202 > Firewall: 192.168.13.1 > > Just recompiled kernel with IPSEC options and installed racoon. > > Install the following as per previous setup: > > spdadd 192.168.13.202/32 0.0.0.0/0 any -P out ipsec > esp/tunnel/192.168.13.202-192.168.13.1/require; > spdadd 0.0.0.0/0 192.168.13.202/32 any -P in ipsec > esp/tunnel/192.168.13.1-192.168.13.202/require; > > Have an all.log tail and a tcpdump on xl0 listening for my ip or the > firewall ip. > > I then try a single ping to the firewall. > > ping -c 1 192.168.13.1 > PING 192.168.13.1 (192.168.13.1): 56 data bytes > 64 bytes from 192.168.13.1: icmp_seq=0 ttl=64 time=0.373 ms > > --- 192.168.13.1 ping statistics --- > 1 packets transmitted, 1 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms > ajt@itouch-1011:~ > ping -c 1 192.168.13.1 > PING 192.168.13.1 (192.168.13.1): 56 data bytes > > --- 192.168.13.1 ping statistics --- > 1 packets transmitted, 0 packets received, 100% packet loss > > all.log > > Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:1682:isakmp_post_acquire(): > IPsec-SA request for 192.168.13.1 queued due to no phase1 found. > Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:796:isakmp_ph1begin_i(): > initiate new phase 1 negotiation: > 192.168.13.202[500]<=>192.168.13.1[500] > Jan 21 15:56:20 1011 racoon: INFO: isakmp.c:801:isakmp_ph1begin_i(): > begin Aggressive mode. > Jan 21 15:56:51 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there(): > phase2 negotiation failed due to time up waiting for phase1. ESP > 192.168.13.1->192.168.13.202 > Jan 21 15:56:51 1011 racoon: INFO: isakmp.c:1779:isakmp_chkph1there(): > delete phase 2 handler. > Jan 21 15:57:00 1011 racoon: INFO: isakmp.c:1701:isakmp_post_acquire(): > request for establishing IPsec-SA was queued due to no phase1 found. > Jan 21 15:57:32 1011 racoon: ERROR: isakmp.c:1774:isakmp_chkph1there(): > phase2 negotiation failed due to time up waiting for phase1. ESP > 192.168.13.1->192.168.13.202 > > However as soon as I setkey -FP and try the ping again... > > It works.. and it's only once SPD entries are cleared that I see > anything on xl0 - previously with the SPD in place there was nothing. > Especially the udp 500 communication that is obviously essential to > setting up the VPN appears..! > > Any tips appreciated... Again this worked between a 5.0 <-> 4.9p1 host > setup. > > thanks, > > ajt. > > On Wed, 2004-01-21 at 14:38, Kris Kennaway wrote: > > On Tue, Jan 20, 2004 at 10:29:51AM +1100, Andrew Thomson wrote: > > > I'm really more interested in changes wrt ipsec since 5.0! ;) > > > > > > I just upgraded my laptop from 5.0 to 5.2 the other day and now my IPSEC > > > VPN doesn't work. > > > > > > I run a VPN over my wireless adhoc network at home. > > > > > > There are just two hosts on the network, the firewall and the laptop. > > > > > > The firewall is running Freebsd 4.8. > > > > > > When my laptop was on 5.0 the following setup worked a treat. However > > > since the upgrade, the VPN has stopped working. > > > > Is anything logged by the kernel? What does tcpdump show happening on > > the wire? > > > > Kris > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >