From owner-freebsd-questions@FreeBSD.ORG Tue Feb 24 23:38:00 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19BDF16A4CE for ; Tue, 24 Feb 2004 23:38:00 -0800 (PST) Received: from ram.onthenet.com.au (ram.OntheNet.com.au [203.13.70.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FB3C43D1D for ; Tue, 24 Feb 2004 23:37:59 -0800 (PST) (envelope-from nicks@diablo.onthenet.com.au) Received: from mail.onthenet.com.au (db7.staff.onthenet.com.au [172.22.1.50]) i1P7bvDc097865 for ; Wed, 25 Feb 2004 17:37:57 +1000 (EST) (envelope-from nicks@diablo.onthenet.com.au) Received: by mail.onthenet.com.au (Postfix, from userid 1001) id 01687177A9; Wed, 25 Feb 2004 17:37:56 +1000 (EST) Date: Wed, 25 Feb 2004 17:37:56 +1000 From: Nick Slager To: questions@freebsd.org Message-ID: <20040225073756.GA1935@OntheNet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2i X-Homer: Whoohooooooo! Subject: IPsec: Odd behaviour with policies X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 07:38:00 -0000 I have a newly created VPN between a 4.8 box and a Cisco VPN 3000 Concentrator. The concentrator is not under my control, being owned by an associated company. The policies are extremely restrictive, and permit a single host in our network (behind the FreeBSD end) to communicate with 2 hosts at the other end (behind the concentrator). I am able to establish the VPN from our host by pinging one of the hosts in the remote network. The VPN is established and all works fine, but I can only communicate with the one remote host I pinged to establish the VPN link. I am unable to communicate with the other host. If I tear down the IPsec tunnel, and re-establish the VPN by pinging the other remote IP address, communication is fine also, but only for the one single remote host I pinged. Is anyone able to shed light on why this might be the case? Anonymised config files below. Nick /etc/ipsec.conf: flush; spdflush; spdadd 192.168.1.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require; spdadd 1.2.3.4/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require; spdadd 192.168.1.1/32 1.2.3.5/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require; spdadd 1.2.3.5/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require; Relevant portions of racoon.conf: remote 203.2.2.2 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address "203.1.1.1"; nonce_size 16; lifetime time 86400 sec; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 192.168.1.1/32 any address 1.2.3.4/32 any { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 192.168.1.1/32 any address 1.2.3.5/32 any { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; }