Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Feb 2001 01:58:16 +1300
From:      "Dan Langille" <dan@langille.org>
To:        hackers@FreeBSD.ORG
Subject:   ping over IPSEC works in only one direction
Message-ID:  <200102051239.f15CdGE09532@ns1.unixathome.org>
next in thread | raw e-mail | index | archive | help 
I've been playing with IPSEC between two boxes.  ping works as expected until 
I add in the keys.  Then ping only works from one box from not the other.  
tcpdump reveals all traffic to be ESP.

Keys on 19.168.1.1

add 192.168.1.101 192.168.1.1   esp 1100 -E 3des-cbc  "bastbastbastbastbastbast"; 
add 192.168.1.1   192.168.1.101 esp 1101 -E 3des-cbc  "settsettsettsettsettsett"; 

spdadd 192.168.1.1 192.168.1.101 any -P out ipsec esp/transport//use ah/transport//use;


Keys on 19.168.1.101

add 192.168.1.101 192.168.1.1   esp 1100 -E 3des-cbc  "bastbastbastbastbastbast";
add 192.168.1.1   192.168.1.101 esp 1101 -E 3des-cbc  "settsettsettsettsettsett";

spdadd 192.168.1.101 192.168.1.1 any -P out ipsec esp/transport//use ah/transport//use;

The following is a ping 192.168.1.1.  Similar traffic exists for a 
ping 192.168.1.101

# tcpdump -i ed0 proto 1 or proto 50
tcpdump: listening on ed0
01:24:34.216930 192.168.1.1 > 192.168.1.101: ESP(spi=1101,seq=0x2a2)
01:24:34.217994 192.168.1.101 > 192.168.1.1: ESP(spi=1100,seq=0x268)
01:24:35.226859 192.168.1.1 > 192.168.1.101: ESP(spi=1101,seq=0x2a3)
01:24:35.227924 192.168.1.101 > 192.168.1.1: ESP(spi=1100,seq=0x269)
01:24:36.236814 192.168.1.1 > 192.168.1.101: ESP(spi=1101,seq=0x2a4)
01:24:36.237896 192.168.1.101 > 192.168.1.1: ESP(spi=1100,seq=0x26a)

The above tells me that the traffic is using protocol 50 both ways.

However, ping 192.168.1.101 fails like this:
PING 192.168.1.101 (192.168.1.101): 56 data bytes
^C
--- 192.168.1.101 ping statistics ---
69 packets transmitted, 0 packets received, 100% packet loss

The packets are being received as reported by ipfilter:

# ipfstat -hio
12256 pass out from any to any
21 pass out quick proto esp from any to any
11995 pass in from any to any
21 pass in quick proto esp from any to any

clues please!

thanks

--
Dan Langille
pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102051239.f15CdGE09532>