From owner-freebsd-net@FreeBSD.ORG  Wed Feb 25 23:40:25 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9B76C16A4F7
	for <freebsd-net@freebsd.org>; Wed, 25 Feb 2004 23:40:25 -0800 (PST)
Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B571443D1F
	for <freebsd-net@freebsd.org>; Wed, 25 Feb 2004 23:40:24 -0800 (PST)
	(envelope-from helge.oldach@atosorigin.com)
Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net
	[194.8.96.68])i1Q7eMVC099344
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 26 Feb 2004 08:40:23 +0100 (CET)
	(envelope-from helge.oldach@atosorigin.com)
Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com
	[161.89.20.4])ESMTP id i1Q7eMcc028144;
	Thu, 26 Feb 2004 08:40:22 +0100 (CET)
	(envelope-from helge.oldach@atosorigin.com)
Received: (from hmo@localhost)
	by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id IAA18872;
	Thu, 26 Feb 2004 08:40:21 +0100 (MET)
Message-Id: <200402260740.IAA18872@galaxy.hbg.de.ao-srv.com>
In-Reply-To: <006d01c3fbf2$0b3b9f20$c832a8c0@SOFTGREEN> from Steve Greenshaw
	at "Feb 25, 2004 11:52:27 pm"
To: steve@softgreen.co.uk (Steve Greenshaw)
Date: Thu, 26 Feb 2004 08:40:21 +0100 (MET)
From: Helge Oldach <helge.oldach@atosorigin.com>
X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany
X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-net@freebsd.org
Subject: Re: FreeBSD (Racoon) / Draytek Setup
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2004 07:40:25 -0000

Steve Greenshaw:
>################
>spdadd 192.168.32.0/24 192.168.1.0/24 ipencap -P out ipsec
>esp/tunnel/AAA.AAA.AAA.AAA-BBB.BBB.BBB.BBB/require;
>spdadd 192.168.1.0/24 192.168.32.0/24 ipencap -P in ipsec
>esp/tunnel/BBB.BBB.BBB.BBB-AAA.AAA.AAA.AAA/require;
>################

Try using "any" instead of "ipencap". (AFAIK gif(4) implements "ipip"
encapsulation ((protocol 94)) and not "ipip" ((protocol 4)). But this
is just meaningless here as the gif interface just acts as a routing
placeholder and doesn't actually transport traffic.)

The other thing you might want to try is using "unique" instead of
"require". This is necessary for ESP tunnel mode against Cisco boxes,
and probably will catch your case as well.

Maybe someone can explain the difference between these two? The manpage
isn't really verbose...

Regards,
Helge