From owner-freebsd-hackers Mon Feb 5 4:58:39 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from ns1.unixathome.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 7AD5237B6A2 for ; Mon, 5 Feb 2001 04:58:18 -0800 (PST) Received: from wocker (wocker.int.nz.freebsd.org [192.168.0.99]) by ns1.unixathome.org (8.11.1/8.11.1) with ESMTP id f15CdGE09532 for ; Tue, 6 Feb 2001 01:39:16 +1300 (NZDT) (envelope-from dan@langille.org) Message-Id: <200102051239.f15CdGE09532@ns1.unixathome.org> From: "Dan Langille" Organization: novice in training To: hackers@FreeBSD.ORG Date: Tue, 6 Feb 2001 01:58:16 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ping over IPSEC works in only one direction Reply-To: dan@langille.org X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've been playing with IPSEC between two boxes. ping works as expected until I add in the keys. Then ping only works from one box from not the other. tcpdump reveals all traffic to be ESP. Keys on 19.168.1.1 add 192.168.1.101 192.168.1.1 esp 1100 -E 3des-cbc "bastbastbastbastbastbast"; add 192.168.1.1 192.168.1.101 esp 1101 -E 3des-cbc "settsettsettsettsettsett"; spdadd 192.168.1.1 192.168.1.101 any -P out ipsec esp/transport//use ah/transport//use; Keys on 19.168.1.101 add 192.168.1.101 192.168.1.1 esp 1100 -E 3des-cbc "bastbastbastbastbastbast"; add 192.168.1.1 192.168.1.101 esp 1101 -E 3des-cbc "settsettsettsettsettsett"; spdadd 192.168.1.101 192.168.1.1 any -P out ipsec esp/transport//use ah/transport//use; The following is a ping 192.168.1.1. Similar traffic exists for a ping 192.168.1.101 # tcpdump -i ed0 proto 1 or proto 50 tcpdump: listening on ed0 01:24:34.216930 192.168.1.1 > 192.168.1.101: ESP(spi=1101,seq=0x2a2) 01:24:34.217994 192.168.1.101 > 192.168.1.1: ESP(spi=1100,seq=0x268) 01:24:35.226859 192.168.1.1 > 192.168.1.101: ESP(spi=1101,seq=0x2a3) 01:24:35.227924 192.168.1.101 > 192.168.1.1: ESP(spi=1100,seq=0x269) 01:24:36.236814 192.168.1.1 > 192.168.1.101: ESP(spi=1101,seq=0x2a4) 01:24:36.237896 192.168.1.101 > 192.168.1.1: ESP(spi=1100,seq=0x26a) The above tells me that the traffic is using protocol 50 both ways. However, ping 192.168.1.101 fails like this: PING 192.168.1.101 (192.168.1.101): 56 data bytes ^C --- 192.168.1.101 ping statistics --- 69 packets transmitted, 0 packets received, 100% packet loss The packets are being received as reported by ipfilter: # ipfstat -hio 12256 pass out from any to any 21 pass out quick proto esp from any to any 11995 pass in from any to any 21 pass in quick proto esp from any to any clues please! thanks -- Dan Langille pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message