From owner-freebsd-net Fri Sep 28 13:55: 7 2001 Delivered-To: freebsd-net@freebsd.org Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by hub.freebsd.org (Postfix) with ESMTP id B4A9B37B401 for ; Fri, 28 Sep 2001 13:55:04 -0700 (PDT) Received: from localhost (swb@localhost) by accord.grasslake.net (8.11.6/8.11.6) with ESMTP id f8SKmNr09065; Fri, 28 Sep 2001 15:48:25 -0500 (CDT) (envelope-from swb@accord.grasslake.net) Date: Fri, 28 Sep 2001 15:48:23 -0500 (CDT) From: Shawn Barnhart To: Shoichi Sakane Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPSec problem, racoon can't transmit? In-Reply-To: <20010926122828R.sakane@kame.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Sep 2001, Shoichi Sakane wrote: > > When I start racoon on both machines, all appears fine. To make a long > > story short, Machine A never seems to generate ANY isakmp packets. Machine > > B's racoon run-time info never indicates it's gotten a phase I initiation > > from A if the session was originated from A. I've run tcpdump on both > > machines, and A never sends any isakmp packets, although it does get them > > from B if B originates traffic first and appears to generate a response > > according to racoon debug info, but B never gets the responses (and if > > tcpdump is to believed A never sends them). > > > Both machines are running racoon-20010831a and 4.4-STABLE built yesterday. > > do you mean Machine A didn't send only isakmp packets ? > or machine A couldn't send all of packets to machine B ? Machine A didn't ever send isakmp packets to machine B, whether it originates the traffic that brings up the IPSec link or whether it should be responding to Phase I negotiation initiation with B. > the re-keying might failed. could you check the log file of racoon > on both side ? if you picked ERROR tag from the file, you could find > the problem. The ERROR tag does say that Phase I failed, and my guess is that the reason is that A isn't sending isakmp packets (tcpdump on B never sees isakmp traffic from A). Machine A is running DIVERT sockets for natd, and I think that is what's killing the connection. I haven't had time to see if that's really the case though, and if it is, it's a showstopper. -- swb@grasslake.net Hard work often pays off after time, but laziness always pays off now. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message