Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Jul 2002 00:48:13 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Matthew Grooms <mgrooms@seton.org>
Cc:        dlavigne6@cogeco.ca, freebsd-questions@FreeBSD.ORG
Subject:   Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...
Message-ID:  <20020730074813.GF89241@blossom.cjclark.org>
In-Reply-To: <sd455602.090@aus-gwia.aus.dcnhs.org>
References:  <sd455602.090@aus-gwia.aus.dcnhs.org>

next in thread | previous in thread | raw e-mail | index | archive | help
[Please, -questions or -security, but not both.]

On Mon, Jul 29, 2002 at 02:49:22PM -0500, Matthew Grooms wrote:
> Ok, Im a moron. I was trying to use the gif griver whan I shouldn't
> have.

I've never figured out why people use gif(4) interfaces when ESP does
the tunneling for you.

[snip]

> When the connection is initiated from the bsd side, traffic passes
> through the vpn1 box, enencrypted and routed to the remote host without
> a problem. Unfotunately, the response from the remote host gets caught
> up on the return trip. I am guessing this is because the bsd and vpn1
> box agree on an outbound ( from the bsd boxs perspective ) proposal but
> cannot agree on an inbound proposal. The checkpoint error logs say
> 'encryption failure : no response from peer'. However, here is some
> tcpdump output that shows bi-directional communications. Im not sure how
> to interperate this. Any ideas anyone?
> 
> tcpdump: listening on eth0

The output from running racoon(8) with the '-d' option would be much
more useful.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020730074813.GF89241>