Date: Tue, 13 Aug 2002 10:34:59 -0400 (EDT) From: Trish Lynch <trish@egobsd.org> To: Shoichi Sakane <sakane@kame.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: racoon and weirdness.... Message-ID: <20020813103026.S637-100000@femme.sapphite.org> In-Reply-To: <20020812141538H.sakane@kame.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Aug 2002, Shoichi Sakane wrote: > > I'm working on setting up IPSEC tunnels between a > > KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's > > > > WHat is happening with the one tunnel is this: > > > > after a couple days, it times out, and neither side can reestablish > > traffic between, the log in /var/log/daemon for racoon tells me the tunnel > > *is* established, but I can;t ping through it. If I restart racoon, it all > > starts working fine again. > > could you see the difference of netstat during the problem happened ? > could you compare your *SAD* and SPIs in the packets on the network ? > there might be a mismatch of SAD on both sides. > *nod* figured that out already. > > The second issue is a second machine, with a cut/pasted config into > > racoon.conf, with simply the endpoints changed, does not work at all. > > > > I can ping the external interface of the Ravlin, but it doesn;t even > > *begin* phase 1. > > because your spd entry is configured for only your public network. > when the kernel sends a packet with the outernal addresss, > the kernel decides not to use ipsec. > *nod* got that too, they've all worked pretty stably over the past couple weeks. The big problem here is trying to troubleshoot something when you have no clue what the other endpoint is doing :) However I will document step by step KAME/racoon <-> Ravlin setup as soon as I actually have time :) If anyone has an extra couple hours one day they can lend me, let me know :) :) -Trish -- Trish Lynch trish@egobsd.org Ecartis Core Team Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606 3618 B74A 2493 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020813103026.S637-100000>