Date: Sun, 23 Sep 2001 17:51:33 -0500 From: "Shawn Barnhart" <swb@grasslake.net> To: <freebsd-net@FreeBSD.ORG> Subject: IPSec problem, racoon can't transmit? Message-ID: <001201c14482$4b2d45e0$021ea8c0@twinstar>
next in thread | raw e-mail | index | archive | help
I'm trying to setup an IPSec connection between two machines, A 10.10.10.1 and B 192.168.1.1 (real IPs are being used, there are just examples): I used the following commands: On Machine A (10.10.10.1): setkey -c spdadd 10.10.10.1/32 192.168.1.1/32 any -P out ipsec esp/transport/10.10.10.1-192.168.1.1/require; spdadd 192.168.1.1/32 10.10.10.1/32 any -P in ipsec esp/transport/192.168.1.1-10.10.10.1/require; ^D On Machine B (192.168.1.1): setkey -c spdadd 192.168.1.1/32 10.10.10.1/32 any -P out ipsec esp/transport/192.168.1.1-10.10.10.1/require; spdadd 10.10.10.1/32 192.168.1.1/32 any -P in ipsec esp/transport/10.10.10.1-192.168.1.1/require; ^D I have a vanilla racoon.conf and psk.txt (mode 600) on both machines. When I start racoon on both machines, all appears fine. To make a long story short, Machine A never seems to generate ANY isakmp packets. Machine B's racoon run-time info never indicates it's gotten a phase I initiation from A if the session was originated from A. I've run tcpdump on both machines, and A never sends any isakmp packets, although it does get them from B if B originates traffic first and appears to generate a response according to racoon debug info, but B never gets the responses (and if tcpdump is to believed A never sends them). Both machines are running racoon-20010831a and 4.4-STABLE built yesterday. What would cause this? I have good communication with these hosts without IPSec, I can originate ssh sessions and other traffic without problems. Can I use racoon with a security policy that requires encrypted traffic between these hosts? It almost seems like a catch-22: can't do key exchange traffic without encryption, and can't get encryption without key exchange, and ... What am I missing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001201c14482$4b2d45e0$021ea8c0>