Date: Tue, 17 Jan 2006 09:45:02 +0000 From: Brian Candler <B.Candler@pobox.com> To: Przemys?aw Szczygielski <qus2@go2.pl> Cc: freebsd-net@freebsd.org Subject: Re: NAT over IPSECed WLAN Message-ID: <20060117094502.GA31333@uk.tiscali.com> In-Reply-To: <838981858.20060116205518@go2.pl> References: <20060116133008.B3F8D214092@rekin14.go2.pl> <20060116150432.GA28435@uk.tiscali.com> <838981858.20060116205518@go2.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 16, 2006 at 08:55:18PM +0100, Przemys?aw Szczygielski wrote: > Well - both ways work. The one from the wizard and the one by > ipseccmd. The difference is i don't know how to deactivate ipseccmd > filters ;-) ipseccmd -u > From XP I pinged 10.2.0.1 with IPSEC on > > tcpdump -i ndis0 host 10.2.0.2 on 10.2.0.1 showed encrypted packets ESP packets with source 10.2.0.2 and destination 10.2.0.1? Is the SPI in your SAD? # echo "dump;" | setkey -c > tcpdump -i fxp0 host 10.2.0.2 on 10.2.0.1 showed nothing... Hmm. Then I would next try turning off ipfw completely, to see if you get outgoing non-NAT packets on fxp0 with a source of 10.2.0.2 and destination of x.x.x.x If so, you've narrowed it to an ipfw problem. If you're trying to do reverse-path checking or the like, that could be it. Turning on logging for all deny rules might help locate it. If you still think its an IPSEC problem, "options IPSEC_DEBUG" might also be useful. Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060117094502.GA31333>