On Thu, Aug 19, 2004 at 11:00:18AM -0300, Martín Chikilian wrote: > >Everything originating from the other side is accepted, as far as I > >know, by this rule ... or do I need to explicitly specify something for > >ipsec to be accepted? Accepting everyting with ip-address of the other > >side should be enough, right? > > > I think it is, but in doubt, so accept it explicitly with iptables -A > INPUT -p esp -s ip -j ACCEPT Nope, no succes. > > If this doesn't work, check isakmp.c at line 253, check_recvdpkt () > found at > http://idsa.irisa.fr/cgi-bin/kame/http/source/kame/kame/racoon/isakmp.c > or in your racoon source, and timers in your racoon.conf > > Ciao, Martin The code at line 253 simply checks for duplicate packets, and ignores them, as far as I can understand. The question is, why is the duplicate packet sent? Apparently, the initiator doesn't receive the reply of the remote end ... but the initiator's firewall has a default policy of ACCEPT ... so that shouldn't be the problem, either! I didn't change the timers section, it is still at the default values: timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } -- Michel Wilson michel@crondor.net PGP key ID 0xD2CB4B7E
Attachment:
pgpRL8iEKQb7B.pgp
Description: PGP signature
