On Thu, Aug 19, 2004 at 07:17:20PM +0300, Aidas Kasparas wrote: > > > Michel Wilson wrote: > >>I think it is, but in doubt, so accept it explicitly with iptables -A > >>INPUT -p esp -s ip -j ACCEPT > > No ESP traffic is exchanged until racoons agree on keys. Therefore > drilling a hole for ESP is too early, will not fix problem, and, given > that connection, initiated from other end is working, most likely > unnecessary. > > I would recomend to run racoon in debug mode (-ddd), search for lines > about dropped [information exchange] packets. What these packets want to > tell you can be learnt by tcpdump'ing port 500, as racoon just states > that it ignored not signed packet. This should give you reason, why your > connection is not established. > There are no messages about dropped packets in the debug output, the only errors are the resend messages, and the timeout messages. If you are interested, the full exchange between the systems can be found on my webserver. A dump of the initiator is here: http://aeon.hgd.crondor.net/~michel/capture-aeon and the responder is here: http://aeon.hgd.crondor.net/~michel/capture-procyon. As far as I can see, both captures are fully identical, so no packets are dropped. Currently, I've completely run out of ideas as to what I should do next :P Regards, Michel. -- Michel Wilson michel@crondor.net PGP key ID 0xD2CB4B7E
Attachment:
pgpvXpYzXkwjZ.pgp
Description: PGP signature
