On Mon, 19 Feb 2001, Aaron M. Segura wrote:

> I have set up isakmpd according to the directions in 'man isakmpd'. I
> set up a CA on each host, and followed through the entire man page on
> each machine...i'm not sure if this was correct or not.

Your packet trace actually suggests that you're using shared secrets
("AUTHENTICATION_METHOD = PRE_SHARED").

> I also set up isakmpd.conf (and can attach both if necessary).

This might be helpful. Also, any isakmpd.policy you might have. That
said, it seems like isakmpd is not your problem.

> this happens twice...and my routes look like:Encap:
> Source Port Destination Port Proto
> SA(Address/Proto/Type/Direction)
> 10/8 0 192.168.1/24 0 0
> 204.248.21.26/50/require/in
> 204.248.21.26/32 0 192.168.1/24 0 0
> 204.248.21.26/50/require/in
> 204.248.21.26/32 0 204.248.22.179/32 0 0
> 204.248.21.26/50/require/in
> 192.168.1/24 0 10/8 0 0
> 204.248.21.26/50/require/out
>
> which looks right, based on what i've seen...

Looks OK. Presumably the other end has a similar looking thing in
reverse?

> I can't send traffic across the pipe. It appears that phase one
> completes OK, but...I'm just guessing here...

What does your tcpdump say about ESP packets (IP protocol 50) when you try
to send IPSEC traffic between the machines? Look for cleartext traffic
between the two machines as well, just in case. Note that you can also
tcpdump the "enc0" interface (must "ifconfig enc0 up" first) and it may
even be useful if you use IP Filter to log traffic on the enc0 interface.

Also, it does look like your 'isakmpd' setup is fine, but you might want
to run one or both with full debug ("isakmpd -d -DA=99") just to make sure
everything is OK there.

You don't have any kind of firewall blocking packets, by any chance?

Hope this helps.

Adrian Close email: adrianesec.com.au
Network Architect phone: +61 3 8371 5300
eSec Limited fax: +61 3 8371 5399
"Protecting your e-business..." web: http://www.esec.com.au

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]