From owner-freebsd-questions@FreeBSD.ORG Fri Apr 9 14:07:22 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 469FA16A4CE for ; Fri, 9 Apr 2004 14:07:22 -0700 (PDT) Received: from atta.nth-order.com (adsl-64-175-247-2.dsl.sntc01.pacbell.net [64.175.247.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06B2743D3F for ; Fri, 9 Apr 2004 14:07:22 -0700 (PDT) (envelope-from tham@atta.nth-order.com) Received: from atta.nth-order.com (localhost [127.0.0.1]) by atta.nth-order.com (8.12.10/8.12.10) with ESMTP id i39L6uZj039454; Fri, 9 Apr 2004 14:06:57 -0700 (PDT) (envelope-from tham@atta.nth-order.com) Received: from localhost (tham@localhost)i39L6tqW039451; Fri, 9 Apr 2004 14:06:56 -0700 (PDT) (envelope-from tham@atta.nth-order.com) Date: Fri, 9 Apr 2004 14:06:55 -0700 (PDT) From: Timothy Ham To: freebsd-questions@freebsd.org Message-ID: <20040409135617.V39400@atta.nth-order.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: richard@endace.com Subject: Re: Fun with IPSEC and racoon - 5.2.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2004 21:07:22 -0000 > >Hi > >I've been having some fun with IPSEC, owing to the need to put in a VPN >between two offices. At the far end, they've got a PIX, and I was pretty >sure I could do this end with one of out FreeBSD boxen. As an >experiment, >I set up IPSEC (with keying provided by Racoon) between my (linux) >desktop >and that FreeBSD machine. That worked Just Fine. Sounds like you're bitten by the broken IPSEC in 5.2 which still hasn't been fixed in 5.2.1. For some reason the ISAKMP traffic that should go around the ipsec policy isn't, and only on outgoing packets. Some info here: http://docs.freebsd.org/cgi/mid.cgi?20040203070435.GB46486