I'm trying to setup an IPSec connection between two machines, A 10.10.10.1
and B 192.168.1.1 (real IPs are being used, there are just examples):

I used the following commands:

On Machine A (10.10.10.1):

setkey -c
spdadd 10.10.10.1/32 192.168.1.1/32 any -P out ipsec
esp/transport/10.10.10.1-192.168.1.1/require;
spdadd 192.168.1.1/32 10.10.10.1/32 any -P in ipsec
esp/transport/192.168.1.1-10.10.10.1/require;
^D

On Machine B (192.168.1.1):

setkey -c
spdadd 192.168.1.1/32 10.10.10.1/32 any -P out ipsec
esp/transport/192.168.1.1-10.10.10.1/require;
spdadd 10.10.10.1/32 192.168.1.1/32 any -P in ipsec
esp/transport/10.10.10.1-192.168.1.1/require;
^D

I have a vanilla racoon.conf and psk.txt (mode 600) on both machines.

When I start racoon on both machines, all appears fine.  To make a long
story short, Machine A never seems to generate ANY isakmp packets.  Machine
B's racoon run-time info never indicates it's gotten a phase I initiation
from A if the session was originated from A.  I've run tcpdump on both
machines, and A never sends any isakmp packets, although it does get them
from B if B originates traffic first and appears to generate a response
according to racoon debug info, but B never gets the responses (and if
tcpdump is to believed A never sends them).

Both machines are running racoon-20010831a and 4.4-STABLE built yesterday.

What would cause this?  I have good communication with these hosts without
IPSec, I can originate ssh sessions and other traffic without problems.  Can
I use racoon with a security policy that requires encrypted traffic between
these hosts?  It almost seems like a catch-22:  can't do key exchange
traffic without encryption, and can't get encryption without key exchange,
and ...

What am I missing?




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to