FreeBSD Mail Archives

Date:      Mon, 29 Jul 2002 14:49:22 -0500
From:      "Matthew Grooms" <mgrooms@seton.org>
To:        <dlavigne6@cogeco.ca>, <freebsd-questions@FreeBSD.org>, <freebsd-security@FreeBSD.org>
Subject:   Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ... 
Message-ID:  <sd455602.090@aus-gwia.aus.dcnhs.org>

next in thread | raw e-mail | index | archive | help

Ok, Im a moron. I was trying to use the gif griver whan I shouldn't
have. As soon as I changed the setkey parameters to a non tunnel device
config it started negotiating. 

ie ..# delete all existing SPD and SAD entries
setkey -FP
setkey -F
setkey -c << EOF

spdadd 10.22.200.0/24 10.20.0.0/16 any -P out ipsec
esp/tunnel/66.90.146.202-65.118.63.252/require;
spdadd 10.22.200.0/24 10.21.0.0/16 any -P out ipsec
esp/tunnel/66.90.146.202-65.118.63.252/require;
spdadd 10.22.200.0/24 10.23.0.0/16 any -P out ipsec
esp/tunnel/66.90.146.202-65.118.63.252/require;

spdadd 10.20.0.0/16 10.22.200.0/24 any -P in  ipsec
esp/tunnel/65.118.63.252-66.90.146.202/require;
spdadd 10.21.0.0/16 10.22.200.0/24 any -P in  ipsec
esp/tunnel/65.118.63.252-66.90.146.202/require;
spdadd 10.23.0.0/16 10.22.200.0/24 any -P in  ipsec
esp/tunnel/65.118.63.252-66.90.146.202/require;

EOF

When the connection is initiated from the bsd side, traffic passes
through the vpn1 box, enencrypted and routed to the remote host without
a problem. Unfotunately, the response from the remote host gets caught
up on the return trip. I am guessing this is because the bsd and vpn1
box agree on an outbound ( from the bsd boxs perspective ) proposal but
cannot agree on an inbound proposal. The checkpoint error logs say
'encryption failure : no response from peer'. However, here is some
tcpdump output that shows bi-directional communications. Im not sure how
to interperate this. Any ideas anyone?

tcpdump: listening on eth0
14:36:16.766265 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg: [|sa] (DF)
14:36:17.266091 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 1 R agg: [|sa]
14:36:17.284486 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg:
    (hash: len=16) (DF)
14:36:17.387671 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg:
    (hash: len=16) (DF)
14:36:17.487667 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 1 I agg:
    (hash: len=16) (DF)
14:36:17.816164 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:18.387787 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:19.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:19.989945 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:21.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:21.939733 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:23.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:23.902725 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:25.817695 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:25.887740 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:27.817694 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:27.893544 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:29.817750 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:29.904151 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:33.817767 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:33.891523 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:37.817766 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:37.897711 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:41.817772 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:41.894646 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:45.817771 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:45.891121 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]
14:36:49.817775 65.118.63.252.isakmp > 66.90.146.202.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [|hash] (DF)
14:36:49.883577 66.90.146.202.isakmp > 65.118.63.252.isakmp: isakmp:
phase 2/others R inf[E]: [|hash]

-Matthew



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sd455602.090>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation