Date: Thu, 31 Oct 2002 12:39:45 -0500 (EST) From: Dru <dlavigne6@cogeco.ca> To: Ion Amigdalou <axaios@yahoo.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPSEC ping from other side Message-ID: <20021031123429.L196-100000@dhcp-17-14.kico2.on.cogeco.ca> In-Reply-To: <20021031164339.30360.qmail@web10102.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 31 Oct 2002, Ion Amigdalou wrote: > Dear freebsd experts, > I have set up a VPN with racoon/ipsec on Freebsd 4.7 > using tunneling with ESP transport. By using the > setkey -D command, on my side the peer seems connected > while on the other direction no connection has been > established. > Pinging the other side is not possible from my point. > If the other peer (currently a CISCO 3662 ROUTER) > pings my ip then the VPN connection is instantly > established and the whole VPN is up-and-running giving > me the ability now to ping the other peer. > > How can I avoid waiting for a human on the other size > to ping me and have the vpn successfully connect > without human intervention? This is the default behaviour if you don't make a dynamic crypto map on the Cisco side. If you use a regular crypto map, only the Cisco can initiate the connection as the "permit" rule requires inbound packets to be encrypted. This means that if the peer (in your case, racoon) initiates Phase 1 negotiations, that clear text packet will be discarded by the Cisco, so that peer can never successfully start the negotiations. Do a search at www.cisco.com for "Configuring IPSec Network Security" for the article that gives greater details. Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021031123429.L196-100000>