Chris Cowen:
>A bit more investigation reveals that the SA is re-established but the
>SPD entries at the remote get dropped. This would explain the half duplex
>communication I am seeing with tcpdump (ping repsonses get back as far
>as the remote racoon machine and the lack of SPD means the machin
> Take a look at PRs 61685 and 76539. Hope that helps.
Well, I was aware of the first one (I'm doing shaping on my internal
interface as a workaround), but not the second one. The second one
is very new and this could indeed be the same problem I encountered.
It seems that the import of IPFilter
> "Crist" == Crist J Clark <[EMAIL PROTECTED]> writes:
Hi,
Crist> Now that NAT-T has moved on from Internet Draft to RFC, does
Crist> anyone out there know if anyone is working on an implementation
Crist> for FAST_IPSEC or KAME? I believe the isakmpd(8) daemon in ports
Crist> supports it,
IIRC, the problem occurs when racoon(8) is set to "create policy" on the
fly. What happens is that when the SA gets stale, but before it expires,
racoon(8) creates a new SA. But since there is an existing entry in the
SPD, a new one is cannot made. When the old SA times out, the its
accompanying S
Tom Farrell wrote:
BSD 5.0 3 Nic cards.
Card 1 connects to DSL network and assigned route able IP from the
ISP
Card 2 connects to a private frame-relay network and is assigned
192.168.66.2/22 directly connected interface is 192.168.66.1/22
Card 3 connects lan is assigne
Hello,
I have three totally distinct network connections at
my office. We have an ISDN line, a T1, and a DSL
connection. I do not need to worry about the
particulars of each connection, because I actually
have an ethernet drop for each of them - someone else
does the routing/csu-dsu/etc. - I jus
