Michel Wilson wrote:
I think it is, but in doubt, so accept it explicitly with iptables -A INPUT -p esp -s ip -j ACCEPT
No ESP traffic is exchanged until racoons agree on keys. Therefore drilling a hole for ESP is too early, will not fix problem, and, given that connection, initiated from other end is working, most likely unnecessary.
I would recomend to run racoon in debug mode (-ddd), search for lines about dropped [information exchange] packets. What these packets want to tell you can be learnt by tcpdump'ing port 500, as racoon just states that it ignored not signed packet. This should give you reason, why your connection is not established.
-- Aidas Kasparas IT administrator GM Consult Group, UAB - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
