Hi, could you please provide a pcap of such an exchange? Thanks, HJ.
On Wed, Oct 18, 2006 at 11:57:53AM +0200, Mitja Mu?eni? wrote: > > Just a quick question if anybody has had the same problem, or contrary, if > anybody has a success story with SEF. I'm trying to establish an IPsec > tunnel between OpenBSD 3.9 and Symantec Enterprise Firewall 7.0.4 (NT/2k) > which is not under my control. > > The negotiation goes through normally, but immediately afterwards the remote > end sends a "DELETE" notification. The tunnel is still up on OpenBSD's end, > but no traffic ever reaches the destination. > > The remote end (Symantec) spits out (obfuscated to protect the innocent): > > "VPN packet dropped (213.aaa.bbb.ccc->217.ddd.eee.fff: Protocol=IPSEC-ESP > spi=0xa0723686): Received IPCOMP packet on a tunnel that was not configured > for compression (tunnel [EMAIL PROTECTED] <VPN_tunnel_*****>)" > > > This error message is funny because as far as I know, OpenBSD does not > support IPCOMP in automatic IKE through isakmpd. Any idea why Symantec would > believe that we are sending it IPCOMP traffic? > > > I even checked that net.inet.ipcomp.enable=0 - not that I know if it's > applicable to IPsec at all. I suspect this is a bug in SEF, but can't find > anything on google or mailing list archives. Nothing special in my > isakmpd.conf, I have multiple tunnels working to other vendors' VPN peers. > > > Regards, > > Mitja
