On Wed, Jun 23, 2010 at 10:37:18AM +0200, r...@dzie-ciuch.pl wrote: [...] > > Do you also have later some logs like: > > <date>: INFO : IPsec-SA established: ESP/Tunnel <IPs> <SPI> > > > > Yes I got: > > 2010-06-23 10:18:06: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540) > 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540) > 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel > 78.x.x.x[0]->95.x.x.x[0] spi=3926551409(0xea0a6b71) > 2010-06-23 10:25:30: DEBUG: (proto_id=ESP spisize=4 spi=00000000 > spi_p=00000000 encmode=Tunnel reqid=0:0) > 2010-06-23 10:25:30: DEBUG: pfkey GETSPI sent: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] > 2010-06-23 10:25:30: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] spi=126966409(0x7915a89) > > Is it good?
Looks like, but if you still can't ping, you still have an issue somewhere :-) First, check that you now have ESP packets going out from your IPsec gate when you try to ping. Then, usual issues at that step are: - something on the way blocks ESP packets. Solution may be to force NAT-T (add "nat_traversal force;" line in remote section). - IPsec peers has some filtering rules/ACLs which blocks your traffic after IPsec. - Peer does not have a default route, or somethinng like that which prevents it to reply to you. Anyways, the best tool now to see what happens is tcpdump.... on peer's side !!!! Yvan. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
