From owner-freebsd-security Sun Aug 11 22:15:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA40137B400 for ; Sun, 11 Aug 2002 22:15:54 -0700 (PDT) Received: from papa.tanu.org (kame195.kame.net [203.178.141.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F5FF43E3B for ; Sun, 11 Aug 2002 22:15:54 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fe21:f766]) by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g7C5JhC50489; Mon, 12 Aug 2002 14:19:45 +0900 (JST) (envelope-from sakane@kame.net) To: trish@egobsd.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: racoon and weirdness.... In-Reply-To: Your message of "Mon, 29 Jul 2002 10:46:30 -0400 (EDT)" <20020729103029.R484-100000@trish.dyn.magenet.com> References: <20020729103029.R484-100000@trish.dyn.magenet.com> X-Mailer: Cue version 0.6 (020620-1817/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20020812141538H.sakane@kame.net> Date: Mon, 12 Aug 2002 14:15:38 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 39 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm working on setting up IPSEC tunnels between a > KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's > > WHat is happening with the one tunnel is this: > > after a couple days, it times out, and neither side can reestablish > traffic between, the log in /var/log/daemon for racoon tells me the tunnel > *is* established, but I can;t ping through it. If I restart racoon, it all > starts working fine again. could you see the difference of netstat during the problem happened ? could you compare your *SAD* and SPIs in the packets on the network ? there might be a mismatch of SAD on both sides. > The second issue is a second machine, with a cut/pasted config into > racoon.conf, with simply the endpoints changed, does not work at all. > > I can ping the external interface of the Ravlin, but it doesn;t even > *begin* phase 1. because your spd entry is configured for only your public network. when the kernel sends a packet with the outernal addresss, the kernel decides not to use ipsec. > the gif interface is set up as such: > > BSD2 == my machine BSD5 == Ravlin > > $IFCONFIG $GIF3 plumb > $IFCONFIG $GIF3 mtu 1500 > $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP netmask $NETMASK > /usr/sbin/setkey -FP > /usr/sbin/setkey -F > /usr/sbin/setkey -c << EOF > spdadd $BSD2_PUB_NET $BSD5_PUB_NET any -P out ipsec > esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require; > spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec > esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require; > EOF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message