From owner-freebsd-security Tue Aug 13 7:35:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9ADE37B400 for ; Tue, 13 Aug 2002 07:35:12 -0700 (PDT) Received: from femme.sapphite.org (pcp02268182pcs.longhl01.md.comcast.net [68.50.99.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79CF643E6A for ; Tue, 13 Aug 2002 07:35:08 -0700 (PDT) (envelope-from trish@egobsd.org) Received: from localhost (trish@localhost [127.0.0.1]) by femme.sapphite.org (8.12.5/8.12.5) with ESMTP id g7DEYxVD037194; Tue, 13 Aug 2002 10:35:00 -0400 (EDT) (envelope-from trish@egobsd.org) Date: Tue, 13 Aug 2002 10:34:59 -0400 (EDT) From: Trish Lynch X-X-Sender: To: Shoichi Sakane Cc: Subject: Re: racoon and weirdness.... In-Reply-To: <20020812141538H.sakane@kame.net> Message-ID: <20020813103026.S637-100000@femme.sapphite.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 12 Aug 2002, Shoichi Sakane wrote: > > I'm working on setting up IPSEC tunnels between a > > KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's > > > > WHat is happening with the one tunnel is this: > > > > after a couple days, it times out, and neither side can reestablish > > traffic between, the log in /var/log/daemon for racoon tells me the tunnel > > *is* established, but I can;t ping through it. If I restart racoon, it all > > starts working fine again. > > could you see the difference of netstat during the problem happened ? > could you compare your *SAD* and SPIs in the packets on the network ? > there might be a mismatch of SAD on both sides. > *nod* figured that out already. > > The second issue is a second machine, with a cut/pasted config into > > racoon.conf, with simply the endpoints changed, does not work at all. > > > > I can ping the external interface of the Ravlin, but it doesn;t even > > *begin* phase 1. > > because your spd entry is configured for only your public network. > when the kernel sends a packet with the outernal addresss, > the kernel decides not to use ipsec. > *nod* got that too, they've all worked pretty stably over the past couple weeks. The big problem here is trying to troubleshoot something when you have no clue what the other endpoint is doing :) However I will document step by step KAME/racoon <-> Ravlin setup as soon as I actually have time :) If anyone has an extra couple hours one day they can lend me, let me know :) :) -Trish -- Trish Lynch trish@egobsd.org Ecartis Core Team Key fingerprint = B04E 67CA 3A12 9930 E91C 7730 4606 3618 B74A 2493 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message