From owner-freebsd-security Thu Mar 15 19:38:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from shorty.ahpcns.com (joemoore-host.dsl.visi.com [209.98.246.61]) by hub.freebsd.org (Postfix) with ESMTP id 1A30237B727 for ; Thu, 15 Mar 2001 19:38:24 -0800 (PST) (envelope-from jomor@ahpcns.com) Received: from ahpcns.com (localhost [127.0.0.1]) by shorty.ahpcns.com (Postfix) with ESMTP id 041EA3A2DD; Thu, 15 Mar 2001 21:38:20 -0600 (CST) Message-ID: <3AB18AAC.9069CBF2@ahpcns.com> Date: Thu, 15 Mar 2001 21:38:20 -0600 From: jomor Organization: ahpcns X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 3.5-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Burgett Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: IPSEC tunnel without gif? References: <200103150440.f2F4eZB25117@dragon.awen.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Burgett wrote: > On Wed, 14 Mar 2001 22:21:30 -0600, jomor wrote: > > >The gateway that received the pings was transmitting ARP > >requests but strangely, it was trying to get the hardware > >address of the other tunnel endpoint rather than that of > >the router in the middle. Since the ARP requests were never > >answered, the ping response was never transmitted. > > This sounds an awful lot like: > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=21079 > > I added a static arp entry for my router awhile back to work around this > very thing. > > Thanks, > Mike Yup that's it. I got the same thing testing with a straight (no ipsec) gif tunnel too. Are you running this in a "production" environment or just playing with it? Has it proven reliable with the static arp entry? I was pleasantly surprised to find that I didn't have any PMTUD problems today (with ipsec up) like I did with PPTP. Thanks ...jgm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message