Date: Wed, 16 Apr 2003 07:50:32 +0200 From: "Barry Irwin" <bvi@itouchlabs.com> To: "Damian Gerow" <damian@sentex.net> Cc: net@freebsd.org Subject: Re: IPSec tunnel setup problems Message-ID: <00d001c303dc$191c2830$0b01a8c0@Beastie> References: <20030415215844.GY648@sentex.net><20030415220310.GB57610@sunbay.com> <20030415223713.GB648@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Can I suggest you try using TCPdump to see whats going on as well. Other things to check: - Phase 1 settings are the same - dh_group etc. - phase 2 settings are the same ( sainfo stuff) pfs, times etc - the psk files are chmod 600 ( been cought by this one before) - The psk files contain either both hosts with the appropriate key, or just the remote host - try upping the debug level on racoon and see if it moans. In my experiance, have almost no trouble getting bsd-bsd IPSEC links talking, biggest pain has been to checkpoint boxes -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Damian Gerow" <damian@sentex.net> To: "Ruslan Ermilov" <ru@freebsd.org> Cc: <net@freebsd.org> Sent: Wednesday, April 16, 2003 12:37 AM Subject: Re: IPSec tunnel setup problems > Thus spake Ruslan Ermilov (ru@freebsd.org) [15/04/03 18:04]: > > > The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are > > > exact mirrors, and the two racoon.conf's are mirrors (with configuration > > > names changed to match directions). It /feels/ like the remote (10.0.2.1) > > > isn't finding the 'remote 10.0.1.1' configuration section that exists in > > > there. I yanked the 'remote anonymous' and 'sainfo anonymous' > > > configurations to help narrow this down. > > > > > > Does anyone have any pointers? Please reply personally, as I'm not > > > subscribed. > > > > > Hmm, on my machines with IPSec tunnels the /etc/ipsec.conf's are > > NOT the exact mirrors; they are mirrors except for the in/out > > keywords. > > Yes, sorry, mine are the same way. Two tunnels, two subnets. Each has the > appropriate 'out' rule and the appropriate 'in' rule. > > - Damian > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d001c303dc$191c2830$0b01a8c0>