Re: IPSec - Strange routing problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tom Eastep wrote: 
Joshua Schmidlkofer wrote:



Now that I am over my fan-boy moment, what is the recommended practice?



I have upgraded to ipsec-tools 0.5 -- as Patrick points out, the fwd
rule gets added automagically.

-Tom 

Thanks for your excellent reponses.  Now I have upgraded both ends to 0.5_rc1.  I have tried w/ and w/o the "fwd"s.  The exciting new problem =), is any packet I try to send results in a "connect: Resource temporarily unavailable".  (ping specifically)

I can ping the outside addresses, but I think my policies may be incorrect, since pings are now in clear-text. I cannot actually get any packets through via IPSec. 

For the first ping I get the above, and both systems collect this in thier syslogs:


Feb  9 15:38:04 [racoon] INFO: IPsec-SA request for 5.5.5.5 queued due to no phase1 found._
Feb  9 15:38:04 [racoon] INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>5.5.5.5[500]_
Feb  9 15:38:04 [racoon] INFO: begin Identity Protection mode._
Feb  9 15:38:04 [racoon] INFO: received Vendor ID: DPD_
Feb  9 15:38:05 [racoon] INFO: ISAKMP-SA established 2.2.2.2[500]-5.5.5.5[500] spi:f3a3a7e555bf87b5:f78f1ea459a4c8b4_
Feb  9 15:38:05 [racoon] INFO: initiate new phase 2 negotiation: 2.2.2.2[0]<=>5.5.5.5[0]_
Feb  9 15:38:05 [racoon] INFO: IPsec-SA established: ESP/Transport 5.5.5.5->2.2.2.2 spi=96593215(0x5c1e53f)_
Feb  9 15:38:05 [racoon] INFO: IPsec-SA established: ESP/Transport 2.2.2.2->5.5.5.5 spi=259250124(0xf73d7cc)_

ten seconds later the initiator got this event:

Feb  9 15:38:15 [racoon] NOTIFY: the packet is retransmitted by 5.5.5.5[500]._

--

Every successive packets generates the following events: (but no more notifies)

Feb  9 15:40:08 [racoon] INFO: initiate new phase 2 negotiation: 2.2.2.2[0]<=>5.5.5.5[0]_
Feb  9 15:40:09 [racoon] INFO: IPsec-SA established: ESP/Transport 5.5.5.5->2.2.2.2 spi=145118(0x236de)_
Feb  9 15:40:09 [racoon] INFO: IPsec-SA established: ESP/Transport 2.2.2.2->5.5.5.5 spi=48917450(0x2ea6bca)_




So it looks like phase 2 never errors out, and it never succeeds.

Clues?
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux