Date: Mon, 13 Jan 2003 17:02:52 +0000 From: Bob Bishop <rb@gid.co.uk> To: "Daniel C. Sobral" <dcs@tcoip.com.br> Cc: current@FreeBSD.ORG Subject: Re: FAST_IPSEC/racoon vs CISCO PIX anyone? Message-ID: <4.3.2.7.2.20030113170059.033a0198@gid.co.uk> In-Reply-To: <3E22E4CE.8040304@tcoip.com.br> References: <4.3.2.7.2.20030113120239.03397190@gid.co.uk> <4.3.2.7.2.20030113120239.03397190@gid.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 16:09 13/1/03, Daniel C. Sobral wrote: >Bob Bishop wrote: > >>Hi, >> >>Problems interworking this combination, with ESP tunnel. SA gets >>negotiated OK, but ESP packets get rejected by the PIX: it says "host >>not found a.b.c.d" where a.b.c.d is its own endpoint address, and sends >>"invalid SPI" back to our end, even thought the SPI on the rejected ESP >>packet is the one just negitiated. >> >>This is RC2, racoon-20021120a. FWIW the same problem occurs on 4.7 with >>'ordinary' IPSEC too. >> >>Any suggestions? TIA > >Well, this question can be silly, specially if you have already >established tunnels before, but... Did you negotiate a SA for each direction? Yes, symmetrically. And we have done this stuff before (but not to a PIX). >-- >Daniel C. Sobral (8-DCS) >Gerencia de Operacoes >Divisao de Comunicacao de Dados >Coordenacao de Seguranca >TCO >Fones: 55-61-313-7654/Cel: 55-61-9618-0904 >E-mail: Daniel.Capo@tco.net.br > Daniel.Sobral@tcoip.com.br > dcs@tcoip.com.br > >Outros: > dcs@newsguy.com > dcs@freebsd.org > capo@notorious.bsdconspiracy.net > >It was one of those perfect summer days -- the sun was shining, a >breeze was blowing, the birds were singing, and the lawn mower was >broken ... > -- James Dent > -- Bob Bishop +44 (0)118 977 4017 rb@gid.co.uk fax +44 (0)118 989 4254 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20030113170059.033a0198>