Date: Fri, 28 Sep 2001 15:48:23 -0500 (CDT) From: Shawn Barnhart <swb@accord.grasslake.net> To: Shoichi Sakane <sakane@kame.net> Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPSec problem, racoon can't transmit? Message-ID: <Pine.BSF.4.21.0109281544070.9056-100000@accord.grasslake.net> In-Reply-To: <20010926122828R.sakane@kame.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Sep 2001, Shoichi Sakane wrote: > > When I start racoon on both machines, all appears fine. To make a long > > story short, Machine A never seems to generate ANY isakmp packets. Machine > > B's racoon run-time info never indicates it's gotten a phase I initiation > > from A if the session was originated from A. I've run tcpdump on both > > machines, and A never sends any isakmp packets, although it does get them > > from B if B originates traffic first and appears to generate a response > > according to racoon debug info, but B never gets the responses (and if > > tcpdump is to believed A never sends them). > > > Both machines are running racoon-20010831a and 4.4-STABLE built yesterday. > > do you mean Machine A didn't send only isakmp packets ? > or machine A couldn't send all of packets to machine B ? Machine A didn't ever send isakmp packets to machine B, whether it originates the traffic that brings up the IPSec link or whether it should be responding to Phase I negotiation initiation with B. > the re-keying might failed. could you check the log file of racoon > on both side ? if you picked ERROR tag from the file, you could find > the problem. The ERROR tag does say that Phase I failed, and my guess is that the reason is that A isn't sending isakmp packets (tcpdump on B never sees isakmp traffic from A). Machine A is running DIVERT sockets for natd, and I think that is what's killing the connection. I haven't had time to see if that's really the case though, and if it is, it's a showstopper. -- swb@grasslake.net Hard work often pays off after time, but laziness always pays off now. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109281544070.9056-100000>