Date: Thu, 5 Sep 2002 23:28:57 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: Mike Tancsa <mike@sentex.net> Cc: questions@FreeBSD.ORG Subject: Re: IPSEC & routing w/o gif Message-ID: <20020905232857.C13151@seekingfire.com> In-Reply-To: <5.1.0.14.0.20020906010034.03d89220@192.168.0.12>; from mike@sentex.net on Fri, Sep 06, 2002 at 01:04:51AM -0400 References: <vq9gnu0qk29fjk0un4tne8vku57f33vmh2@4ax.com> <mailman.1031178127.4718.fquestions-l@lists.sentex.ca> <vq9gnu0qk29fjk0un4tne8vku57f33vmh2@4ax.com> <20020905225049.A13151@seekingfire.com> <5.1.0.14.0.20020906010034.03d89220@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 06, 2002 at 01:04:51AM -0400, Mike Tancsa wrote:
> >How does this interact with and affect dynamic routing (i.e., OSPF via
> >zebra)?
>
> In a word, badly :-( You need to look at something like l2tp or ppp over
> the link... Or, use gif and transport mode.
Ick. Is there an on-line reference explaining the issues and the
workarounds that you can point me to?
> >We've now got a mostly-working config, and an NFS mount works across it
> >:-) The remaining problem is that after a period of time the FreeBSD box
> >can't access the other side ("sendto: No route to host").
>
>
> Have a look at the racoon.conf options, there might be a setting there I
> think. But you might want to post the question and your config to the KAME
> list. But I do remember reading about this on the LINUX FreeSwan page, so
> it might be some LINUX issue. When the tunnel goes stale like that, what
> does setkey -D show ?
It looks like this:
[root@coyote root]# setkey -D
24.72.10.212 24.72.31.206
esp mode=tunnel spi=1426857889(0x550c1fa1) reqid=0(0x00000000)
E: 3des-cbc 4f4e94e4 4732f5e3 ba9e7caa 67077d31 b2789394 83558afd
A: hmac-md5 7bec6d6e 85cca86b 2aaae570 7e5e2db2
seq=0x00000002 replay=4 flags=0x00000000 state=mature
created: Sep 5 23:11:44 2002 current: Sep 5 23:22:06 2002
diff: 622(s) hard: 1800(s) soft: 1440(s)
last: Sep 5 23:22:02 2002 hard: 0(s) soft: 0(s)
current: 272(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2 hard: 0 soft: 0
sadb_seq=1 pid=75928 refcnt=2
24.72.31.206 24.72.10.212
esp mode=tunnel spi=240298505(0x0e52aa09) reqid=0(0x00000000)
E: 3des-cbc 70535711 3c3cf319 9f950f62 f3722dd6 58041014 8127e8bf
A: hmac-md5 61caa1b4 4322665c fa29b556 78deaf4d
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 5 23:11:44 2002 current: Sep 5 23:22:06 2002
diff: 622(s) hard: 1800(s) soft: 1440(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=75928 refcnt=1
Oddly, when it's working, I seem to recall that there's *four* entries.
I'll have to check that in the morning when I can poke the fellow
running the other end to initiate some traffic :-)
Thanks muchly for your help,
- Tillman
--
The sound of water says what I think.
Chuang-Tzu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020905232857.C13151>