From owner-freebsd-net  Fri Nov 16 10:42:35 2001
Delivered-To: freebsd-net@freebsd.org
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161])
	by hub.freebsd.org (Postfix) with ESMTP id 7A61637B405
	for <freebsd-net@FreeBSD.ORG>; Fri, 16 Nov 2001 10:42:33 -0800 (PST)
Received: from isi.edu (hbo.isi.edu [128.9.160.75])
	by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id fAGIgVN25436;
	Fri, 16 Nov 2001 10:42:31 -0800 (PST)
Message-ID: <3BF55E17.7000506@isi.edu>
Date: Fri, 16 Nov 2001 10:42:31 -0800
From: Lars Eggert <larse@ISI.EDU>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.5) Gecko/20011107
X-Accept-Language: en, de
MIME-Version: 1.0
To: Erik Norvelle <norvelle@Ag.arizona.edu>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: 4.4-CURRENT problems getting IPSec to function
References: <JOENJHIIFAGEJMMJCHKFEEEBCDAA.norvelle@ag.arizona.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Erik Norvelle wrote:

 > --- Begin included file --- flush; spdflush;
 >
 > # Note that the add rules are the same as on Node B! spdadd
 > 10.20.0.0/24 192.168.1.0/24 any -P in ipsec 
esp/tunnel/xxx.yyy.40.122-xxx.yyy.40.135/require;
 >

 > spdadd 192.168.1.0/24 10.20.0.0/24 any -P out ipsec 
esp/tunnel/xxx.yyy.40.135-xxx.yyy.40.122/require;
 >

 > --- End included file ---


You are adding SPD entries but not SAD entries. See setkey(8). Oh wait,
you're using IKE, which should negotiate trhe SAD entries.

 > For the test situation, I have set up my ipfilter to allow
 > everything to pass, both in and out, on both the internal and
 > external interfaces. Also, I have turned off IPNAT completely.


Good, this should simplify things.


 > However, tunnel mode between the two internal networks does not
 > produce any IPSEC packets or key exchange traffic at all.


I'm not sure I understand what you mean here. You are trying to set up
tunnel mode between the two gateways, right? (And what goes inside the
tunnel are packets between the two end networks.)


All in all, it looks like your problem might be IKE-related, maybe a 
config problem with racoon? I've never used it myself, but you could try 
asking on snap-users@kame.net...

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message