From owner-freebsd-questions Mon Jul 29 12:53:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFECA37B407; Mon, 29 Jul 2002 12:53:15 -0700 (PDT) Received: from mail.seton.org (ftp.seton.org [207.193.126.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5249643EE5; Mon, 29 Jul 2002 12:51:39 -0700 (PDT) (envelope-from mgrooms@seton.org) Received: from aus-gwia.aus.dcnhs.org (aus-gwia.aus.dcnhs.org [10.20.10.211]) by mail.seton.org (Postfix) with ESMTP id D987CD0077; Mon, 29 Jul 2002 14:49:38 -0500 (CDT) Received: from AUS_SETON-MTA by aus-gwia.aus.dcnhs.org with Novell_GroupWise; Mon, 29 Jul 2002 14:49:38 -0500 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.0.1 Date: Mon, 29 Jul 2002 14:49:22 -0500 From: "Matthew Grooms" To: , , Subject: Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ... Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ok, Im a moron. I was trying to use the gif griver whan I shouldn't have. As soon as I changed the setkey parameters to a non tunnel device config it started negotiating. ie ..# delete all existing SPD and SAD entries setkey -FP setkey -F setkey -c << EOF spdadd 10.22.200.0/24 10.20.0.0/16 any -P out ipsec esp/tunnel/66.90.146.202-65.118.63.252/require; spdadd 10.22.200.0/24 10.21.0.0/16 any -P out ipsec esp/tunnel/66.90.146.202-65.118.63.252/require; spdadd 10.22.200.0/24 10.23.0.0/16 any -P out ipsec esp/tunnel/66.90.146.202-65.118.63.252/require; spdadd 10.20.0.0/16 10.22.200.0/24 any -P in ipsec esp/tunnel/65.118.63.252-66.90.146.202/require; spdadd 10.21.0.0/16 10.22.200.0/24 any -P in ipsec esp/tunnel/65.118.63.252-66.90.146.202/require; spdadd 10.23.0.0/16 10.22.200.0/24 any -P in ipsec esp/tunnel/65.118.63.252-66.90.146.202/require; EOF When the connection is initiated from the bsd side, traffic passes through the vpn1 box, enencrypted and routed to the remote host without a problem. Unfotunately, the response from the remote host gets caught up on the return trip. I am guessing this is because the bsd and vpn1 box agree on an outbound ( from the bsd boxs perspective ) proposal but cannot agree on an inbound proposal. The checkpoint error logs say 'encryption failure : no response from peer'. However, here is some tcpdump output that shows bi-directional communications. Im not sure how to interperate this. Any ideas anyone? tcpdump: listening on eth0 14:36:16.766265 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 1 I agg: [|sa] (DF) 14:36:17.266091 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 1 R agg: [|sa] 14:36:17.284486 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 1 I agg: (hash: len=16) (DF) 14:36:17.387671 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 1 I agg: (hash: len=16) (DF) 14:36:17.487667 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 1 I agg: (hash: len=16) (DF) 14:36:17.816164 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:18.387787 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:19.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:19.989945 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:21.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:21.939733 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:23.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:23.902725 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:25.817695 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:25.887740 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:27.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:27.893544 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:29.817750 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:29.904151 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:33.817767 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:33.891523 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:37.817766 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:37.897711 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:41.817772 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:41.894646 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:45.817771 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:45.891121 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] 14:36:49.817775 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash] (DF) 14:36:49.883577 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp: phase 2/others R inf[E]: [|hash] -Matthew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message