From owner-freebsd-stable  Thu May 24 13:16: 5 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id 04C4437B423
	for <freebsd-stable@FreeBSD.ORG>; Thu, 24 May 2001 13:16:01 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.3/8.11.2) id f4OKFxH30464;
	Thu, 24 May 2001 13:15:59 -0700 (PDT)
	(envelope-from dillon)
Date: Thu, 24 May 2001 13:15:59 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200105242015.f4OKFxH30464@earth.backplane.com>
To: "Brandt Everett" <everett@bentonrea.com>
Cc: <freebsd-stable@FreeBSD.ORG>
Subject: Re: FreeBSD and IPSEC
References:  <004501c0e487$b8a14af0$632807d8@prosser.bentonrea.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

:I have two remote offices.  I am running FreeBSD ver 4.0R on all three
:firewalls.  I would like to create two VPN between the remote offices and
:our HQ here.  I can create a VPN connection using the gif and
:esp/tunnel//require, without the racoon, but from time to time the remote
:offices loose communication with the HQ.  If I allow routing between the
:remote sites, without the VPN or encryption they work just fine.  There are
:some ipfw rules in place, but this happens even if I open the firewall up
:all the way.
:
:Does anyone have any suggestions for troubleshooting this?  Any ideas on
:where to continue looking for problems?  I'm not looking for answers(unless
:you got them) I'm looking for the next place to look.
:
:Brandt Everett

    I did an IPSEC tunnel once with the same problem.  It turned out that
    cyclic sequence numbers were not being allowed (I guess for security
    reasons).  Any sort of packet loss caused the VPN to stop working.
    Allowing cyclic sequence numbers fixed the problem.

    Unfortunately, this was a year ago so I don't have the config file
    to show you. I'm not sure where you specify it in the config.
    
						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message