From owner-freebsd-questions Tue Aug 22 7: 5:44 2000 Delivered-To: freebsd-questions@freebsd.org Received: from vdsi.net (vdsi.net [206.67.5.34]) by hub.freebsd.org (Postfix) with ESMTP id 78AA537B424 for ; Tue, 22 Aug 2000 07:05:39 -0700 (PDT) Received: from rseals (xpress19793.htc.net [208.165.197.93]) by vdsi.net (8.9.2/8.9.2) with SMTP id IAA05948 for ; Tue, 22 Aug 2000 08:45:45 -0500 (CDT) (envelope-from rseals@vdsi.net) Message-ID: <001c01c00c3f$56711b60$fb01000a@magellanhealth.com> From: "Ray Seals" To: "FreeBSD Questions" Subject: Pipsecd conflict with other VPN clients Date: Tue, 22 Aug 2000 08:46:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm using 2 FreeBSD machines to run both firewall and VPN (pipsecd) from my office to my home. Recently I setup a Cisco VPN solution for a client using a PIX firewall and the Cisco Secure VPN client. When I fire up the client from behind my firewall I see in the Cisco client where the client communicates with the PIX be when it tries to start an encrypted session it fails, if accully times out. Here is a copy of the log file from the client: 08:28:21.660 08:28:21.770 San Ant - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx) 08:28:21.990 San Ant - SENDING>>>> ISAKMP OAK MM (SA) 08:28:22.210 San Ant - RECEIVED<<< ISAKMP OAK MM (SA) 08:28:22.320 San Ant - SENDING>>>> ISAKMP OAK MM (KE, NON, VID, VID) 08:28:22.590 San Ant - RECEIVED<<< ISAKMP OAK MM (KE, NON, VID) 08:28:22.700 San Ant - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 08:28:22.920 San Ant - RECEIVED<<< ISAKMP OAK MM *(ID, HASH) 08:28:23.030 San Ant - Established IKE SA 08:28:23.090 San Ant - Initiating IKE Phase 2 with Client IDs (message id: DEAC2906) 08:28:23.200 Initiator = IP ADDR=10.0.1.251, prot = 0 port = 0 08:28:23.310 Responder = IP SUBNET/MASK=192.168.1.0/255.255.255.0, prot = 0 port = 0 08:28:23.420 San Ant - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 08:28:23.640 San Ant - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) 08:28:23.690 San Ant - SENDING>>>> ISAKMP OAK QM *(HASH) 08:28:23.800 San Ant - Loading IPSec SA (Message ID = DEAC2906 OUTBOUND SPI = 7B54D662 INBOUND SPI = 7936F764) 08:28:23.910 After moving my machine to the out side of my FreeBSD firewall and having it work fine I started digging into my FreeBSD logs and found the a series of entries: Aug 22 10:14:28 bsdfirewall1 pipsecd[203]: unknown spi 2033645412 Aug 22 10:14:28 bsdfirewall1 pipsecd[203]: unknown spi from xxx.xxx.xxx.xxx I have confirmed that these errors occur while the Cisco client is trying to communicate with the PIX by doing a tail -f /var/log/messages and watching as they try to communicate. Is there a way to work around this? Ray To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message