Date: Fri, 16 Nov 2001 10:42:31 -0800 From: Lars Eggert <larse@ISI.EDU> To: Erik Norvelle <norvelle@Ag.arizona.edu> Cc: freebsd-net@FreeBSD.ORG Subject: Re: 4.4-CURRENT problems getting IPSec to function Message-ID: <3BF55E17.7000506@isi.edu> References: <JOENJHIIFAGEJMMJCHKFEEEBCDAA.norvelle@ag.arizona.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Norvelle wrote: > --- Begin included file --- flush; spdflush; > > # Note that the add rules are the same as on Node B! spdadd > 10.20.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/xxx.yyy.40.122-xxx.yyy.40.135/require; > > spdadd 192.168.1.0/24 10.20.0.0/24 any -P out ipsec esp/tunnel/xxx.yyy.40.135-xxx.yyy.40.122/require; > > --- End included file --- You are adding SPD entries but not SAD entries. See setkey(8). Oh wait, you're using IKE, which should negotiate trhe SAD entries. > For the test situation, I have set up my ipfilter to allow > everything to pass, both in and out, on both the internal and > external interfaces. Also, I have turned off IPNAT completely. Good, this should simplify things. > However, tunnel mode between the two internal networks does not > produce any IPSEC packets or key exchange traffic at all. I'm not sure I understand what you mean here. You are trying to set up tunnel mode between the two gateways, right? (And what goes inside the tunnel are packets between the two end networks.) All in all, it looks like your problem might be IKE-related, maybe a config problem with racoon? I've never used it myself, but you could try asking on snap-users@kame.net... Lars -- Lars Eggert <larse@isi.edu> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BF55E17.7000506>