Strange problem with IPSEC, not entirely transparent.
KAMADA Ken'ichi
kamada at nanohz.org
Thu Nov 24 05:57:40 GMT 2005
At Tue, 22 Nov 2005 21:52:53 +0000,
Baldur Gislason <baldur at foo.is> wrote:
>
> Now, here's the problem. When I have spmd and iked running on both ends, and everything between
> the hosts goes by IPSEC, comms over the tunnel work fine but I cannot connect to any TCP ports
> on the 5.4 machine from the 4.10 machine.
> I can connect from the 5.4 machine to the 4.10 machine though.
> Both machines can ping each other, no problems there. And all comms that go through the gif0 tunnel
> work.
You mean that TCP outside the gif tunnel doesn't work only in one
direction? If you set IPsec keys (and policies) manually, does it
work?
If manual keying works, then...
You mentioned spmd and iked, so I suspect you are using
racoon2 (!= racoon), right?
If so, please send racoon2.conf, SPD and SAD (output of "setkey -DP"
and "setkey -D"), iked's log, and other config if relevant (all on
both ends). If they are too big, you can send them to me off-list.
# OTOH, If it is racoon you actually wanted to use, it's now contained
# in security/ipsec-tools ports.
At Tue, 22 Nov 2005 21:57:24 +0000,
Baldur Gislason <baldur at foo.is> wrote:
>
> Adding:
> If I kill spmd on the 5.4 box, then all works fine but the comms are only encrypted in one direction.
Killing spmd causes removal of SPD entries generated by racoon2.
--
KAMADA Ken'ichi <kamada at nanohz.org> @racoon2 project
More information about the freebsd-net
mailing list