I'm trying to setup an IPSec connection between two machines, A 10.10.10.1
and B 192.168.1.1 (real IPs are being used, there are just examples):
I used the following commands:
On Machine A (10.10.10.1):
setkey -c
spdadd 10.10.10.1/32 192.168.1.1/32 any -P out ipsec
esp/transport/10.10.10.1-192.168.1.1/require;
spdadd 192.168.1.1/32 10.10.10.1/32 any -P in ipsec
esp/transport/192.168.1.1-10.10.10.1/require;
^D
On Machine B (192.168.1.1):
setkey -c
spdadd 192.168.1.1/32 10.10.10.1/32 any -P out ipsec
esp/transport/192.168.1.1-10.10.10.1/require;
spdadd 10.10.10.1/32 192.168.1.1/32 any -P in ipsec
esp/transport/10.10.10.1-192.168.1.1/require;
^D
I have a vanilla racoon.conf and psk.txt (mode 600) on both machines.
When I start racoon on both machines, all appears fine. To make a long
story short, Machine A never seems to generate ANY isakmp packets. Machine
B's racoon run-time info never indicates it's gotten a phase I initiation
from A if the session was originated from A. I've run tcpdump on both
machines, and A never sends any isakmp packets, although it does get them
from B if B originates traffic first and appears to generate a response
according to racoon debug info, but B never gets the responses (and if
tcpdump is to believed A never sends them).
Both machines are running racoon-20010831a and 4.4-STABLE built yesterday.
What would cause this? I have good communication with these hosts without
IPSec, I can originate ssh sessions and other traffic without problems. Can
I use racoon with a security policy that requires encrypted traffic between
these hosts? It almost seems like a catch-22: can't do key exchange
traffic without encryption, and can't get encryption without key exchange,
and ...
What am I missing?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message