From owner-freebsd-net Sun Sep 23 15:46:37 2001 Delivered-To: freebsd-net@freebsd.org Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by hub.freebsd.org (Postfix) with ESMTP id 8308E37B41E for ; Sun, 23 Sep 2001 15:46:10 -0700 (PDT) Received: from twinstar (twinstar.grasslake.net [192.168.30.2]) by accord.grasslake.net (8.11.6/8.11.6) with SMTP id f8NMdmX00476 for ; Sun, 23 Sep 2001 17:39:49 -0500 (CDT) (envelope-from swb@grasslake.net) Message-ID: <001201c14482$4b2d45e0$021ea8c0@twinstar> From: "Shawn Barnhart" To: Subject: IPSec problem, racoon can't transmit? Date: Sun, 23 Sep 2001 17:51:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm trying to setup an IPSec connection between two machines, A 10.10.10.1 and B 192.168.1.1 (real IPs are being used, there are just examples): I used the following commands: On Machine A (10.10.10.1): setkey -c spdadd 10.10.10.1/32 192.168.1.1/32 any -P out ipsec esp/transport/10.10.10.1-192.168.1.1/require; spdadd 192.168.1.1/32 10.10.10.1/32 any -P in ipsec esp/transport/192.168.1.1-10.10.10.1/require; ^D On Machine B (192.168.1.1): setkey -c spdadd 192.168.1.1/32 10.10.10.1/32 any -P out ipsec esp/transport/192.168.1.1-10.10.10.1/require; spdadd 10.10.10.1/32 192.168.1.1/32 any -P in ipsec esp/transport/10.10.10.1-192.168.1.1/require; ^D I have a vanilla racoon.conf and psk.txt (mode 600) on both machines. When I start racoon on both machines, all appears fine. To make a long story short, Machine A never seems to generate ANY isakmp packets. Machine B's racoon run-time info never indicates it's gotten a phase I initiation from A if the session was originated from A. I've run tcpdump on both machines, and A never sends any isakmp packets, although it does get them from B if B originates traffic first and appears to generate a response according to racoon debug info, but B never gets the responses (and if tcpdump is to believed A never sends them). Both machines are running racoon-20010831a and 4.4-STABLE built yesterday. What would cause this? I have good communication with these hosts without IPSec, I can originate ssh sessions and other traffic without problems. Can I use racoon with a security policy that requires encrypted traffic between these hosts? It almost seems like a catch-22: can't do key exchange traffic without encryption, and can't get encryption without key exchange, and ... What am I missing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message