I have a newly created VPN between a 4.8 box and a Cisco VPN 3000 Concentrator. The concentrator is not under my control, being owned by an associated company.
The policies are extremely restrictive, and permit a single host in our network (behind the FreeBSD end) to communicate with 2 hosts at the other end (behind the concentrator). I am able to establish the VPN from our host by pinging one of the hosts in the remote network. The VPN is established and all works fine, but I can only communicate with the one remote host I pinged to establish the VPN link. I am unable to communicate with the other host. If I tear down the IPsec tunnel, and re-establish the VPN by pinging the other remote IP address, communication is fine also, but only for the one single remote host I pinged. Is anyone able to shed light on why this might be the case? Anonymised config files below. Nick /etc/ipsec.conf: flush; spdflush; spdadd 192.168.1.1/32 1.2.3.4/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require; spdadd 1.2.3.4/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require; spdadd 192.168.1.1/32 1.2.3.5/32 any -P out ipsec esp/tunnel/203.1.1.1-203.2.2.2/require; spdadd 1.2.3.5/32 192.168.1.1/32 any -P in ipsec esp/tunnel/203.2.2.2-203.1.1.1/require; Relevant portions of racoon.conf: remote 203.2.2.2 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address "203.1.1.1"; nonce_size 16; lifetime time 86400 sec; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 192.168.1.1/32 any address 1.2.3.4/32 any { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 192.168.1.1/32 any address 1.2.3.5/32 any { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"