On Mon, 12 Aug 2002, Shoichi Sakane wrote:

> > I'm working on setting up IPSEC tunnels between a
> > KAME/racoon/FreeBSD-STABLE box and a Ravlin unit at a client's
> >
> > WHat is happening with the one tunnel is this:
> >
> > after a couple days, it times out, and neither side can reestablish
> > traffic between, the log in /var/log/daemon for racoon tells me the tunnel
> > *is* established, but I can;t ping through it. If I restart racoon, it all
> > starts working fine again.
>
> could you see the difference of netstat during the problem happened ?
> could you compare your *SAD* and SPIs in the packets on the network ?
> there might be a mismatch of SAD on both sides.
>

*nod* figured that out already.

> > The second issue is a second machine, with a cut/pasted config into
> > racoon.conf, with simply the endpoints changed, does not work at all.
> >
> > I can ping the external interface of the Ravlin, but it doesn;t even
> > *begin* phase 1.
>
> because your spd entry is configured for only your public network.
> when the kernel sends a packet with the outernal addresss,
> the kernel decides not to use ipsec.
>

*nod* got that too, they've all worked pretty stably over the past couple
weeks. The big problem here is trying to troubleshoot something when you
have no clue what the other endpoint is doing :)

However I will document step by step KAME/racoon <-> Ravlin setup as soon
as I actually have time :)

If anyone has an extra couple hours one day they can lend me, let me know
:) :)

-Trish

--
Trish Lynch				            trishegobsd.org
			Ecartis Core Team
Key fingerprint = B04E 67CA 3A12 9930 E91C  7730 4606 3618 B74A 2493
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]