From owner-freebsd-current Mon Jan 13 9: 3:23 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F49037B401 for ; Mon, 13 Jan 2003 09:03:22 -0800 (PST) Received: from gidgate.gid.co.uk (gid.co.uk [194.32.164.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC28C43F7E for ; Mon, 13 Jan 2003 09:03:20 -0800 (PST) (envelope-from rb@gid.co.uk) Received: (from rb@localhost) by gidgate.gid.co.uk (8.11.6/8.11.6) id h0DH2vf06314; Mon, 13 Jan 2003 17:02:57 GMT (envelope-from rb) Message-Id: <4.3.2.7.2.20030113170059.033a0198@gid.co.uk> X-Sender: rbmail@gid.co.uk X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 13 Jan 2003 17:02:52 +0000 To: "Daniel C. Sobral" From: Bob Bishop Subject: Re: FAST_IPSEC/racoon vs CISCO PIX anyone? Cc: current@FreeBSD.ORG In-Reply-To: <3E22E4CE.8040304@tcoip.com.br> References: <4.3.2.7.2.20030113120239.03397190@gid.co.uk> <4.3.2.7.2.20030113120239.03397190@gid.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 16:09 13/1/03, Daniel C. Sobral wrote: >Bob Bishop wrote: > >>Hi, >> >>Problems interworking this combination, with ESP tunnel. SA gets >>negotiated OK, but ESP packets get rejected by the PIX: it says "host >>not found a.b.c.d" where a.b.c.d is its own endpoint address, and sends >>"invalid SPI" back to our end, even thought the SPI on the rejected ESP >>packet is the one just negitiated. >> >>This is RC2, racoon-20021120a. FWIW the same problem occurs on 4.7 with >>'ordinary' IPSEC too. >> >>Any suggestions? TIA > >Well, this question can be silly, specially if you have already >established tunnels before, but... Did you negotiate a SA for each direction? Yes, symmetrically. And we have done this stuff before (but not to a PIX). >-- >Daniel C. Sobral (8-DCS) >Gerencia de Operacoes >Divisao de Comunicacao de Dados >Coordenacao de Seguranca >TCO >Fones: 55-61-313-7654/Cel: 55-61-9618-0904 >E-mail: Daniel.Capo@tco.net.br > Daniel.Sobral@tcoip.com.br > dcs@tcoip.com.br > >Outros: > dcs@newsguy.com > dcs@freebsd.org > capo@notorious.bsdconspiracy.net > >It was one of those perfect summer days -- the sun was shining, a >breeze was blowing, the birds were singing, and the lawn mower was >broken ... > -- James Dent > -- Bob Bishop +44 (0)118 977 4017 rb@gid.co.uk fax +44 (0)118 989 4254 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message