From owner-freebsd-security Mon Jul 29 7:45:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B97337B400 for ; Mon, 29 Jul 2002 07:45:37 -0700 (PDT) Received: from trish.dyn.magenet.com (bgp01560565bgs.gambrl01.md.comcast.net [68.50.32.109]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF1E843E42 for ; Mon, 29 Jul 2002 07:45:35 -0700 (PDT) (envelope-from trish@egobsd.org) Received: from trish.dyn.magenet.com (trish@localhost [127.0.0.1]) by trish.dyn.magenet.com (8.12.5/8.12.1) with ESMTP id g6TEkU9D008190; Mon, 29 Jul 2002 10:46:31 -0400 (EDT) Received: from localhost (trish@localhost) by trish.dyn.magenet.com (8.12.5/8.12.5/Submit) with ESMTP id g6TEkU0N008187; Mon, 29 Jul 2002 10:46:30 -0400 (EDT) X-Authentication-Warning: trish.dyn.magenet.com: trish owned process doing -bs Date: Mon, 29 Jul 2002 10:46:30 -0400 (EDT) From: Trish Lynch X-X-Sender: To: Subject: racoon and weirdness.... Message-ID: <20020729103029.R484-100000@trish.dyn.magenet.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm working on setting up IPSEC tunnels between a KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's WHat is happening with the one tunnel is this: after a couple days, it times out, and neither side can reestablish traffic between, the log in /var/log/daemon for racoon tells me the tunnel *is* established, but I can;t ping through it. If I restart racoon, it all starts working fine again. The second issue is a second machine, with a cut/pasted config into racoon.conf, with simply the endpoints changed, does not work at all. I can ping the external interface of the Ravlin, but it doesn;t even *begin* phase 1. Here is the racoon.conf: remote ravlin-ext-ip [500] { exchange_mode main,aggressive; my_identifier address my-ext-ip; peers_identifier address ravlin-ext-ip; generate_policy on; nonce_size 16; lifetime time 3 hour; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } remote ravlin-int-ip [500] { exchange_mode main,aggressive; my_identifier address my-int-ip; peers_identifier address ravlin-int-ip; generate_policy on; nonce_size 16; lifetime time 3 hour; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address my-ext-ip/32[0] any address ravlin-ext-ip/32[0] any { # pfs_group 2; lifetime time 10800 sec; encryption_algorithm 3des ; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate ; } sainfo address my-int-net/23[0] any address ravlin-int-net/24[0] any { # pfs_group 2; lifetime time 10800 sec; encryption_algorithm 3des ; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate ; } the gif interface is set up as such: BSD2 == my machine BSD5 == Ravlin $IFCONFIG $GIF3 plumb $IFCONFIG $GIF3 mtu 1500 $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP netmask $NETMASK /usr/sbin/setkey -FP /usr/sbin/setkey -F /usr/sbin/setkey -c << EOF spdadd $BSD2_PUB_NET $BSD5_PUB_NET any -P out ipsec esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require; spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require; EOF Anyone wanna hit me with a cluebat? -Trish -- Trish Lynch trish@egobsd.org Ecartis Core Team Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606 3618 B74A 2493 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message