From owner-freebsd-net@FreeBSD.ORG Thu Nov 24 05:57:40 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C548D16A41F for ; Thu, 24 Nov 2005 05:57:40 +0000 (GMT) (envelope-from kamada@nanohz.org) Received: from nasten.nanohz.org (220x218x5x242.ap220.ftth.ucom.ne.jp [220.218.5.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0759E43D4C for ; Thu, 24 Nov 2005 05:57:39 +0000 (GMT) (envelope-from kamada@nanohz.org) Received: from nasten.nanohz.org (localhost [127.0.0.1]) by nasten.nanohz.org (Postfix) with ESMTP id 801C45E for ; Thu, 24 Nov 2005 14:57:38 +0900 (JST) Received: from mitana.nanohz.org ([2001:240:2:0:20a:e4ff:fe23:c841]) by nasten.nanohz.org (smtpsugar 1.1) with ESMTPA id 2x9TNQ; Thu, 24 Nov 2005 14:57:38 +0900 (JST) Date: Thu, 24 Nov 2005 14:57:55 +0900 Message-ID: <20051124145755WM%kamada@nanohz.org> From: KAMADA Ken'ichi To: freebsd-net@freebsd.org In-Reply-To: <20051122215253.GM97528@gremlin.foo.is> References: <20051122215253.GM97528@gremlin.foo.is> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=) APEL/10.6 Emacs/22.0.50 (i386-unknown-netbsdelf3.99.9) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Subject: Re: Strange problem with IPSEC, not entirely transparent. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 05:57:40 -0000 At Tue, 22 Nov 2005 21:52:53 +0000, Baldur Gislason wrote: > > Now, here's the problem. When I have spmd and iked running on both ends, and everything between > the hosts goes by IPSEC, comms over the tunnel work fine but I cannot connect to any TCP ports > on the 5.4 machine from the 4.10 machine. > I can connect from the 5.4 machine to the 4.10 machine though. > Both machines can ping each other, no problems there. And all comms that go through the gif0 tunnel > work. You mean that TCP outside the gif tunnel doesn't work only in one direction? If you set IPsec keys (and policies) manually, does it work? If manual keying works, then... You mentioned spmd and iked, so I suspect you are using racoon2 (!= racoon), right? If so, please send racoon2.conf, SPD and SAD (output of "setkey -DP" and "setkey -D"), iked's log, and other config if relevant (all on both ends). If they are too big, you can send them to me off-list. # OTOH, If it is racoon you actually wanted to use, it's now contained # in security/ipsec-tools ports. At Tue, 22 Nov 2005 21:57:24 +0000, Baldur Gislason wrote: > > Adding: > If I kill spmd on the 5.4 box, then all works fine but the comms are only encrypted in one direction. Killing spmd causes removal of SPD entries generated by racoon2. -- KAMADA Ken'ichi @racoon2 project