From owner-freebsd-net@FreeBSD.ORG Tue Mar 9 21:26:14 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3757716A4CE for ; Tue, 9 Mar 2004 21:26:14 -0800 (PST) Received: from diablo.OntheNet.com.au (diablo.OntheNet.com.au [203.10.89.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A9BB43D2D for ; Tue, 9 Mar 2004 21:26:13 -0800 (PST) (envelope-from nicks@diablo.onthenet.com.au) Received: from mail.onthenet.com.au (vdub.OntheNet.net [203.10.89.16]) i2A5QBXd078438 for ; Wed, 10 Mar 2004 15:26:12 +1000 (EST) Received: by mail.onthenet.com.au (Postfix, from userid 1001) id 4FE6F177BF; Wed, 10 Mar 2004 15:25:56 +1000 (EST) Date: Wed, 10 Mar 2004 15:25:56 +1000 From: Nick Slager To: net@freebsd.org Message-ID: <20040310052556.GA33553@OntheNet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2i X-Homer: Whoohooooooo! Subject: IPsec: odd behaviour with policies X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 05:26:14 -0000 This is perhaps the wrong forum for this question, however, posting on -questions has drawn a blank. I have a newly created VPN between a 4.8 box and a Cisco VPN 3000 Concentrator. The concentrator is not under my control, being owned by an associated company. The policies are extremely restrictive, and permit a single host in our network (behind the FreeBSD end) to communicate with 2 hosts at the other end (behind the concentrator). I am able to establish the VPN from our internal host by pinging one of the hosts in the remote network. The VPN is established and all works fine, but I can only communicate with the one remote host I pinged to establish the VPN link. I am unable to communicate with the other host. If I tear down the IPsec tunnel, and re-establish the VPN by pinging the other remote IP address, communication is fine also, but only for the one single remote host I pinged. Is anyone able to shed light on why this might be the case? Anonymised config files below. Nick 192.168.1.1 Our internal host 203.1.1.1 Our IPsec endpoint (FreeBSD 4.8) 1.2.3.4 Remote internal host #1 1.2.3.5 Remote internal host #2 203.2.2.2 Remote IPsec endpoint (concentrator) /etc/ipsec.conf: flush; spdflush; spdadd 192.168.1.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require; spdadd 1.2.3.4/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require; spdadd 192.168.1.1/32 1.2.3.5/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require; spdadd 1.2.3.5/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require; Relevant portions of racoon.conf: remote 203.2.2.2 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address "203.1.1.1"; nonce_size 16; lifetime time 86400 sec; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 192.168.1.1/32 any address 1.2.3.4/32 any { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 192.168.1.1/32 any address 1.2.3.5/32 any { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; }