Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Aug 2002 14:15:38 +0900
From:      Shoichi Sakane <sakane@kame.net>
To:        trish@egobsd.org
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: racoon and weirdness....
Message-ID:  <20020812141538H.sakane@kame.net>
In-Reply-To: Your message of "Mon, 29 Jul 2002 10:46:30 -0400 (EDT)" <20020729103029.R484-100000@trish.dyn.magenet.com>
References:  <20020729103029.R484-100000@trish.dyn.magenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> I'm working on setting up IPSEC tunnels between a
> KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's
> 
> WHat is happening with the one tunnel is this:
> 
> after a couple days, it times out, and neither side can reestablish
> traffic between, the log in /var/log/daemon for racoon tells me the tunnel
> *is* established, but I can;t ping through it. If I restart racoon, it all
> starts working fine again.

could you see the difference of netstat during the problem happened ?
could you compare your *SAD* and SPIs in the packets on the network ?
there might be a mismatch of SAD on both sides.

> The second issue is a second machine, with a cut/pasted config into
> racoon.conf, with simply the endpoints changed, does not work at all.
> 
> I can ping the external interface of the Ravlin, but it doesn;t even
> *begin* phase 1.

because your spd entry is configured for only your public network.
when the kernel sends a packet with the outernal addresss,
the kernel decides not to use ipsec.

> the gif interface is set up as such:
> 
> BSD2 == my machine BSD5 == Ravlin
> 
>             $IFCONFIG $GIF3 plumb
>             $IFCONFIG $GIF3 mtu 1500
>             $IFCONFIG $GIF3 inet $BSD2_IP $BSD5_IP netmask $NETMASK
>             /usr/sbin/setkey -FP
>             /usr/sbin/setkey -F
>             /usr/sbin/setkey -c << EOF
>             spdadd $BSD2_PUB_NET $BSD5_PUB_NET any -P out ipsec
>             esp/tunnel/${BSD2_PUB_IP}-${BSD5_PUB_IP}/require;
>             spdadd $BSD5_PUB_NET $BSD2_PUB_NET any -P in ipsec
>             esp/tunnel/${BSD5_PUB_IP}-${BSD2_PUB_IP}/require;
> EOF

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020812141538H.sakane>