Date: Tue, 22 Aug 2000 08:46:12 -0500 From: "Ray Seals" <rseals@vdsi.net> To: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Subject: Pipsecd conflict with other VPN clients Message-ID: <001c01c00c3f$56711b60$fb01000a@magellanhealth.com>
next in thread | raw e-mail | index | archive | help
I'm using 2 FreeBSD machines to run both firewall and VPN (pipsecd) from my office to my home. Recently I setup a Cisco VPN solution for a client using a PIX firewall and the Cisco Secure VPN client. When I fire up the client from behind my firewall I see in the Cisco client where the client communicates with the PIX be when it tries to start an encrypted session it fails, if accully times out. Here is a copy of the log file from the client: 08:28:21.660 08:28:21.770 San Ant - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx) 08:28:21.990 San Ant - SENDING>>>> ISAKMP OAK MM (SA) 08:28:22.210 San Ant - RECEIVED<<< ISAKMP OAK MM (SA) 08:28:22.320 San Ant - SENDING>>>> ISAKMP OAK MM (KE, NON, VID, VID) 08:28:22.590 San Ant - RECEIVED<<< ISAKMP OAK MM (KE, NON, VID) 08:28:22.700 San Ant - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 08:28:22.920 San Ant - RECEIVED<<< ISAKMP OAK MM *(ID, HASH) 08:28:23.030 San Ant - Established IKE SA 08:28:23.090 San Ant - Initiating IKE Phase 2 with Client IDs (message id: DEAC2906) 08:28:23.200 Initiator = IP ADDR=10.0.1.251, prot = 0 port = 0 08:28:23.310 Responder = IP SUBNET/MASK=192.168.1.0/255.255.255.0, prot = 0 port = 0 08:28:23.420 San Ant - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 08:28:23.640 San Ant - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) 08:28:23.690 San Ant - SENDING>>>> ISAKMP OAK QM *(HASH) 08:28:23.800 San Ant - Loading IPSec SA (Message ID = DEAC2906 OUTBOUND SPI = 7B54D662 INBOUND SPI = 7936F764) 08:28:23.910 After moving my machine to the out side of my FreeBSD firewall and having it work fine I started digging into my FreeBSD logs and found the a series of entries: Aug 22 10:14:28 bsdfirewall1 pipsecd[203]: unknown spi 2033645412 Aug 22 10:14:28 bsdfirewall1 pipsecd[203]: unknown spi from xxx.xxx.xxx.xxx I have confirmed that these errors occur while the Cisco client is trying to communicate with the PIX by doing a tail -f /var/log/messages and watching as they try to communicate. Is there a way to work around this? Ray To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001c01c00c3f$56711b60$fb01000a>