From owner-freebsd-net@FreeBSD.ORG  Tue Nov 22 21:53:14 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 16D6F16A420
	for <freebsd-net@freebsd.org>; Tue, 22 Nov 2005 21:53:14 +0000 (GMT)
	(envelope-from baldur@foo.is)
Received: from gremlin.foo.is (gremlin.foo.is [194.105.250.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C822943D9D
	for <freebsd-net@freebsd.org>; Tue, 22 Nov 2005 21:53:00 +0000 (GMT)
	(envelope-from baldur@foo.is)
Received: from 127.0.0.1 (localhost.foo.is [127.0.0.1])
	by injector.foo.is (Postfix) with SMTP id CFE8028465
	for <freebsd-net@freebsd.org>; Tue, 22 Nov 2005 21:52:56 +0000 (GMT)
Received: by gremlin.foo.is (Postfix, from userid 1000)
	id 61C0D2845F; Tue, 22 Nov 2005 21:52:53 +0000 (GMT)
Date: Tue, 22 Nov 2005 21:52:53 +0000
From: Baldur Gislason <baldur@foo.is>
To: freebsd-net@freebsd.org
Message-ID: <20051122215253.GM97528@gremlin.foo.is>
User-Agent: Mutt/1.4.2.1i
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on gremlin.foo.is
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=6.0 tests=ALL_TRUSTED,AWL,BAYES_00 
	autolearn=ham version=3.0.4
X-Sanitizer: Foo
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Subject: Strange problem with IPSEC, not entirely transparent.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2005 21:53:14 -0000

I recently set up IPSEC communications between two hosts I have in different places.
One is FreeBSD 5.4-STABLE August 22. 2005. The other is 4.11-STABLE April 18th 2005.
I run a gif tunnel between them and routes for networks found on both sides are negotiated
by quagga using ospf.
the internet ips of the hosts are not listed as networks in ospfd.conf because that would
break the tunnel.

Now, here's the problem. When I have spmd and iked running on both ends, and everything between
the hosts goes by IPSEC, comms over the tunnel work fine but I cannot connect to any TCP ports
on the 5.4 machine from the 4.10 machine.
I can connect from the 5.4 machine to the 4.10 machine though.
Both machines can ping each other, no problems there. And all comms that go through the gif0 tunnel
work.

I tried flushing ipfw on both ends, no luck.
Any ideas?

Baldur