From owner-freebsd-net@FreeBSD.ORG Sat Jul 7 00:40:08 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8926D106566B for ; Sat, 7 Jul 2012 00:40:08 +0000 (UTC) (envelope-from chris.benesch@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 463DE8FC0C for ; Sat, 7 Jul 2012 00:40:08 +0000 (UTC) Received: by obbun3 with SMTP id un3so19824910obb.13 for ; Fri, 06 Jul 2012 17:40:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=usoSpHPgFdo+hIYjJXehdPFDi+/r7/eOvDbl6q9+jGU=; b=mcuoK3ElsXF/wtQE8nQKdAAFU2mK0zKFlPtefoAFyLh3X4nMYJOK4sswiWNl8yl/EK yRWhKv2iqiaRe63NhU8Cb/8W7JyNl0QCvkEOyAdJvuh7roccsGeJOrBs/3Zuq3K4Jno1 J/9dIIEHfdl8UERYzZqZd9PrKrrPX5oh7vl7aX8xiAFoeXqn3esy7p+UP8/QkdCQXZZf Jb8YUJjnairz779UQd7V/6NX9acAl7KaEHXEHJBLtedsdYuJdYzeJOEo8PAiPI/91ycr 66evFKdXzWdmOIyWbOwbahJFGpk4kxGGEXKJeFRAB1hDKMDPl9QfNjA/ZamcEKxyQJu6 8+WQ== MIME-Version: 1.0 Received: by 10.50.89.169 with SMTP id bp9mr3729678igb.59.1341621607540; Fri, 06 Jul 2012 17:40:07 -0700 (PDT) Received: by 10.231.26.150 with HTTP; Fri, 6 Jul 2012 17:40:07 -0700 (PDT) In-Reply-To: References: Date: Fri, 6 Jul 2012 17:40:07 -0700 Message-ID: From: Chris Benesch To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: IPSec woes coming from OpenBSD to Free X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2012 00:40:08 -0000 Yeah the whole GIF interface thing seemed weird to me too. I'm in much the same situation I'm connecting to a Watchguard device, similar to the router I guess you are hooking to. I did get it to start trying to send, using the ping command. Never thought I had to kick start the data going to it to get it to connect, but I guess I do. So now I have another problem 2012-07-07 00:16:02: INFO: initiate new phase 1 negotiation: 192.186.0.33[500]<=>my.rou. ter.ip[500] 2012-07-07 00:16:02: INFO: begin Identity Protection mode. 2012-07-07 00:16:02: DEBUG: new cookie: dad1f78e51bb5b7e 2012-07-07 00:16:02: DEBUG: add payload of len 52, next type 13 2012-07-07 00:16:02: DEBUG: add payload of len 16, next type 0 2012-07-07 00:16:02: ERROR: *phase1 negotiation failed due to send error. dad1f78e51bb5b7e:0000000000000000* 2012-07-07 00:16:02: ERROR: failed to begin ipsec sa negotication. I think I know what it is though, I recompiled the kernel with just option IPSEC the first time and I got an error about unable to set a flag on the rl0 interface, so I found out if you add option IPSEC_NAT_T in there the error goes away. So I am recompiling the kernel with just IPSEC. I'll let you know how it works after its done. It takes awhile, its an old Pentium 4 machine with 400 M of ram and a laptop. The AMD 6 core w/16 G ram I hope one day to set up to run FreeBSD will be much nicer.