Folks, I'm running 4.8-stable on one end and 4.5-stable at the other of a site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are working before upgrading the 4.5-stable end.) The tunnel is configured using ipsec.conf and ipsecctl, and the relevant portions of the configs are:
4.8 side ---------- ike esp from $internal_subnet \ to $outpost_subnet \ local $fios_tunnel_host \ peer $outpost_tunnel_host 4.5 side ---------- ike passive esp from $local_network to $remote_network peer $remote_gateway_ip The flows and SAs that come up are: 4.8 side ---------- FLOWS: flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid 71.163.154.173/32 dstid 64.237.99.79/32 type use flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid 71.163.154.173/32 dstid 64.237.99.79/32 type require SAD: esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth hmac-sha2-256 enc aes esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth hmac-sha2-256 enc aes 4.5 side ---------- FLOWS: flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173 srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173 srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require SAD: esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth hmac-sha2-256 enc aes esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0xffff2d0b auth hmac-sha2-256 enc aes Relevant pf rules are: 4.8 side ---------- pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port = isakmp keep state pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep state pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port = isakmp keep state pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep state 4.5 side ---------- pass log quick on enc0 pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port 500 pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port 500 pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port 4500 pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port 4500 pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79 pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173 The security associations come up just fine, and I can see packets going into the tunnel at the 4.8 end on enc0, and I can see the packets going out over ESP to the destination, but they never show up on enc0 at the 4.5 end. What's really frustrating is that a) other tunnels to Sonicwall devices work just fine from the 4.8 side b) I am upgrading the device that is now 4.8 from a 4.5 installation, and the tunnel worked just fine before. Any ideas on what might be happening or how to further troubleshoot this? --Paul [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]