From owner-freebsd-net Sat Jan 13 13: 5:57 2001 Delivered-To: freebsd-net@freebsd.org Received: from dragon.awen.com (dragon.awen.com [208.176.22.138]) by hub.freebsd.org (Postfix) with ESMTP id 7CA1B37B401 for ; Sat, 13 Jan 2001 13:05:39 -0800 (PST) Received: (from mburgett@localhost) by dragon.awen.com (8.11.2/8.11.2) id f0DL5dr06131; Sat, 13 Jan 2001 13:05:39 -0800 (PST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Sat, 13 Jan 2001 13:05:34 -0800 (PST) Reply-To: Mike Burgett From: Mike Burgett To: freebsd-net@freebsd.org Subject: NATD/IPSec tunnel glitches.. Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've a fairly recent -stable box (dec 19) that I use for natd/firewalling for my internal net. It has a static default route, to the outside world. Recently, I added IPSec into the equation, and setup tunnels to three networks on the other side of a Gauntlet GVPN box. The ipsec tunnels are statically keyed, so setkey is only run at init. Every thing works, _most_ of the time, and I'm able to access the remote nets from any machine in my internal net, with everything appearing on the remotes as if it came from my tunnel-end. Every so often, though, I start getting messages from natd: "failed to write packet back (No route to host)" If I go to another window, and start pinging the external IP of the GVPN box, (the other tunnel-end), it may, or may not drop a few packets, and then start working, and at that point, my IPSec tunnels seem to be working again. If I'm watching with tcpdump during this time, I don't see any ip traffic going out to the other tunnel-end. If I leave a 'ping' running to the other tunnel-end, I don't seem to see the problem. If I space it 15-30 seconds between pings, the problem seems to occur, but much more rarely that without pinging. I'd like to make sure it's not something I've misconfigured, before opening a pr on this, and I'm willing to stick in some diag lines, to try and gather more info about the circumstances surrounding these events, but don't really know where to start. Constructive suggestions welcome. I'm in the process of cvsup'ing to a current -stable, and will be rebuilding that sometime this afternoon. Thanks, Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message