On Mon, Jan 16, 2006 at 08:55:18PM +0100, Przemys?aw Szczygielski wrote: > Well - both ways work. The one from the wizard and the one by > ipseccmd. The difference is i don't know how to deactivate ipseccmd > filters ;-)
ipseccmd -u > From XP I pinged 10.2.0.1 with IPSEC on > > tcpdump -i ndis0 host 10.2.0.2 on 10.2.0.1 showed encrypted packets ESP packets with source 10.2.0.2 and destination 10.2.0.1? Is the SPI in your SAD? # echo "dump;" | setkey -c > tcpdump -i fxp0 host 10.2.0.2 on 10.2.0.1 showed nothing... Hmm. Then I would next try turning off ipfw completely, to see if you get outgoing non-NAT packets on fxp0 with a source of 10.2.0.2 and destination of x.x.x.x If so, you've narrowed it to an ipfw problem. If you're trying to do reverse-path checking or the like, that could be it. Turning on logging for all deny rules might help locate it. If you still think its an IPSEC problem, "options IPSEC_DEBUG" might also be useful. Regards, Brian. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
