From owner-freebsd-net@FreeBSD.ORG Tue Apr 15 22:51:44 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A949137B401 for ; Tue, 15 Apr 2003 22:51:44 -0700 (PDT) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7A8E43F93 for ; Tue, 15 Apr 2003 22:51:42 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 195fsI-000Crs-00 for net@freebsd.org; Wed, 16 Apr 2003 07:54:26 +0200 X-TLS: TLSv1:RC4-MD5:128 itouchlabs.com -> mx1.dev.itouchnet.net Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 195fsH-000Cra-00; Wed, 16 Apr 2003 07:54:25 +0200 Message-ID: <00d001c303dc$191c2830$0b01a8c0@Beastie> From: "Barry Irwin" To: "Damian Gerow" References: <20030415215844.GY648@sentex.net><20030415220310.GB57610@sunbay.com> <20030415223713.GB648@sentex.net> Date: Wed, 16 Apr 2003 07:50:32 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 49462-1050472466-02493@unconfigured version $Name: REL_2_0_4 $ cc: net@freebsd.org Subject: Re: IPSec tunnel setup problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 05:51:45 -0000 Hi Can I suggest you try using TCPdump to see whats going on as well. Other things to check: - Phase 1 settings are the same - dh_group etc. - phase 2 settings are the same ( sainfo stuff) pfs, times etc - the psk files are chmod 600 ( been cought by this one before) - The psk files contain either both hosts with the appropriate key, or just the remote host - try upping the debug level on racoon and see if it moans. In my experiance, have almost no trouble getting bsd-bsd IPSEC links talking, biggest pain has been to checkpoint boxes -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Damian Gerow" To: "Ruslan Ermilov" Cc: Sent: Wednesday, April 16, 2003 12:37 AM Subject: Re: IPSec tunnel setup problems > Thus spake Ruslan Ermilov (ru@freebsd.org) [15/04/03 18:04]: > > > The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are > > > exact mirrors, and the two racoon.conf's are mirrors (with configuration > > > names changed to match directions). It /feels/ like the remote (10.0.2.1) > > > isn't finding the 'remote 10.0.1.1' configuration section that exists in > > > there. I yanked the 'remote anonymous' and 'sainfo anonymous' > > > configurations to help narrow this down. > > > > > > Does anyone have any pointers? Please reply personally, as I'm not > > > subscribed. > > > > > Hmm, on my machines with IPSec tunnels the /etc/ipsec.conf's are > > NOT the exact mirrors; they are mirrors except for the in/out > > keywords. > > Yes, sorry, mine are the same way. Two tunnels, two subnets. Each has the > appropriate 'out' rule and the appropriate 'in' rule. > > - Damian > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > >