>From the keyboard of Erik Norvelle, written on Fri, Nov 16, 2001 at 04:54:07AM -0700: > Lars (and anyone else who can help): > > I have attempted to follow your advice, by configuring my machines to use > IPSEC tunnel mode only. However, I still can't get ping packets to go > between the two internal networks. My /etc/ipsec.conf files on both > machines are as follows: > > --- Begin included file --- > flush; > spdflush; > > # Note that the add rules are the same as on Node B! > spdadd 10.20.0.0/24 192.168.1.0/24 any -P in ipsec > esp/tunnel/xxx.yyy.40.122-xxx.yyy.40.135/require; > spdadd 192.168.1.0/24 10.20.0.0/24 any -P out ipsec > esp/tunnel/xxx.yyy.40.135-xxx.yyy.40.122/require; > --- End included file --- > > For the test situation, I have set up my ipfilter to allow everything to > pass, both in and out, on both the internal and external interfaces. > Also, I have turned off IPNAT completely. > > I *have* been able to get transport mode working between the two external > interfaces. Racoon successfully exchanged keys, and a perusal of > netstat -sn output showed that IPSEC packets were in fact being passed. > However, tunnel mode between the two internal networks does not produce > any IPSEC packets or key exchange traffic at all.
How did you ping? Image this: net ----------- ipsec host ------- some net ----- ipsec host -- 10.0.0.0/24<->10.0.0.1/172.16.1.1 ---------- 172.16.1.2/10.0.1.1<->10.0.1.0/24 Now, if your tunnel should secure all data from 10.0.0.0/24 to 10.0.1.0/24 vice versa, and you ping from 10.0.0.1/172.16.1.1 to 10.0.1.*, what happens is that you will effectively ping from 172.16.1.1 to 10.0.1.*. This is not covered in an SP. So racoon will just sit and do nothing. In this case, you should use 'ping -I' to force the ping-packet go over the interface having 10.0.0.1. In this case, you will ping from 10.0.0.1 to 10.0.1.*, which is covered by a policy. I don't know if this is the cause of your problem, you did not tell from what host to what host you try to ping. It is, however, something to keep in mind. It tricked me too ;-) Grtz, -- Eilko Bos. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
