From owner-freebsd-questions@FreeBSD.ORG Thu Jul 10 22:03:20 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4011E37B401 for ; Thu, 10 Jul 2003 22:03:20 -0700 (PDT) Received: from mx1.au.itouchnet.net (nat2.au.itouchnet.net [144.135.23.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id E54CA43FAF for ; Thu, 10 Jul 2003 22:03:18 -0700 (PDT) (envelope-from ajthomson@optushome.com.au) Received: from nobody by mx1.au.itouchnet.net with scanned_ok (Exim 3.36 #1) id 19aq3w-000Ojp-00 for freebsd-questions@freebsd.org; Fri, 11 Jul 2003 15:03:16 +1000 X-TLS: TLSv1:DES-CBC3-SHA:168 athomson.prv.au.itouchnet.net -> mx1.au.itouchnet.net Received: from athomson.prv.au.itouchnet.net ([192.168.13.55]) by mx1.au.itouchnet.net with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 19aq3w-000OjZ-00; Fri, 11 Jul 2003 15:03:16 +1000 From: Andrew Thomson To: Company 2210 In-Reply-To: References: Content-Type: text/plain Message-Id: <1057899795.31944.2.camel@athomson.prv.au.itouchnet.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.0 Date: 11 Jul 2003 15:03:15 +1000 Content-Transfer-Encoding: 7bit X-Checked: Scanned for any viruses and unauthorized attachments at mx1.au.itouchnet.net X-iScan-ID: 95093-1057899796-02846@mx1.au.itouchnet.net version $Name: REL_2_0_2 $ cc: freebsd-questions@freebsd.org Subject: Re: Racoon / VPN problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 05:03:20 -0000 That looks a bit like mine too.. (this output taken from host .14.1) Of course these would be reversed on 14.2 ie, the in and out bits) 192.168.14.2[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.14.2-192.168.14.1/require spid=1 seq=1 pid=42486 refcnt=1 0.0.0.0/0[any] 192.168.14.2[any] any out ipsec esp/tunnel/192.168.14.1-192.168.14.2/require spid=2 seq=0 pid=42486 refcnt=1 I'm using this to IPSEC my wireless traffic. Works a treat coupled with racoon. ajt. On Fri, 2003-07-11 at 05:12, Company 2210 wrote: > I have two freebsd 5.0 boxes authenticating at stage one of the VPN, however stage 2 fails. with: > > ph2begin_r(): respond new phase 2 negotiation: 10.0.0.1[0]<=>10.0.0.2[0] > get_proposal_r(): no policy found: 10.0.0.2/32[0] 0.0.0.0/0[0] proto=any dir=in > quick_r1recv(): failed to get proposal for responder. > _ph2begin_r(): failed to pre-process packet. > > I'm a bit new too this, so I'm guessing the lack of a policy refers to my SPD Database. Setkey -DP looks like this: > > 0.0.0.0/0[any] 10.0.0.1[any] any > in ipsec > esp/tunnel/10.0.0.2-10.0.0.1/require > spid=19 seq=1 pid=770 > refcnt=1 > > 10.0.0.1[any] 0.0.0.0/0[any] any > out ipsec > esp/tunnel/10.0.0.1-10.0.0.2/require > spid=18 seq=0 pid=770 > refcnt=1 > > As I understand it, this means all packets heading too or from 10.0.0.1 must be encapsulated (which is what I want, as I'm running a VPN between too FreeBSD gateway boxes). If I replace the 0.0.0.0/0 with the IP of the other boxes inteface (i.e. 10.0.0.2) the VPN works between 10.0.0.1<->10.0.0.2, but other traffic from other interfaces is not encrypted. Any help in resolving/understanding this issue is greatly appericated. > > Many Thanks > > Colin > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >