From owner-freebsd-net@FreeBSD.ORG Tue Nov 29 06:20:45 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F53F16A41F for ; Tue, 29 Nov 2005 06:20:45 +0000 (GMT) (envelope-from arcivanov@mail.ru) Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48CB143D67 for ; Tue, 29 Nov 2005 06:20:44 +0000 (GMT) (envelope-from arcivanov@mail.ru) Received: from [24.128.227.175] (port=62414 helo=aii9100) by mx2.mail.ru with asmtp id 1Egyr3-000A5x-00 for freebsd-net@freebsd.org; Tue, 29 Nov 2005 09:20:42 +0300 Message-ID: <000d01c5f4ad$08ea4ea0$329da8c0@home.ivanovy.net> From: "Arcadiy Ivanov" To: Date: Tue, 29 Nov 2005 01:20:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="windows-1251"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Subject: FreeBSD <-> Windows XP IPSec Phase 1 Timeout X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 06:20:45 -0000 Dear everybody, I have a following problem which you might help me solve. I'm running a FreeBSD 6.0 box as a gateway with Windows XP road warrior clients VPNing in. In order to setup secure access I want to use IPSec for traffic encryption with the plain-text PPTP for tunneling. Windows XP IPSec policy is configured to ESP everything coming in and out of TCP port 1723 and GRE and same stands for FreeBSD box. Now here is a problem. Upon initiating PPTP dial-up connection from XP the IPSec negotiations start normally, both client and server agree on encryption & hashing standards successfully. But as soon as they do agree, all communications timeout. Tcpdump on FreeBSD box and Etherpeek on Windows should the IPSec packets being delivered to both machines, but both client and server behave as if packets were not delivered at all and obviously timeout. I do have PF firewall on the gateway but the result is the same for firewall being off or on or even not loaded into kernel. I have used racoon, isakmp and ipsec-tools racoon and the results are EXACTLY the same up to the corresponding lines in the logs - as soon as encryption policies are successfully negotiated and both clients switch to secure communication mode they lose sight of each other and both timeout. I of course understand that the logs are necessary and I'm ready to provide them if anybody is interested to help me solve the problem, but I'm hoping that somebody had this problem and knows the solutions off the top of his/her head. Thanks a lot, Arcadiy