Joshua,
I have impression that SA's do not get negotiated successfully. Could you please look at "setkey -D" (not -DP) output at both sides and see that both sides agree on SAs?
Also, you use NAT? If so, please look at http://ipsec-tools.sf.net/checklist.html#not_natted (other checks may also help)
Tom Eastep wrote:
Joshua Schmidlkofer wrote:
Now that I am over my fan-boy moment, what is the recommended practice?
I have upgraded to ipsec-tools 0.5 -- as Patrick points out, the fwd rule gets added automagically.
-Tom
Thanks for your excellent reponses. Now I have upgraded both ends to 0.5_rc1. I have tried w/ and w/o the "fwd"s. The exciting new problem =), is any packet I try to send results in a "connect: Resource temporarily unavailable". (ping specifically)
I can ping the outside addresses, but I think my policies may be incorrect, since pings are now in clear-text. I cannot actually get any packets through via IPSec. For the first ping I get the above, and both systems collect this in thier syslogs:
Feb 9 15:38:04 [racoon] INFO: IPsec-SA request for 5.5.5.5 queued due to no phase1 found._
Feb 9 15:38:04 [racoon] INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>5.5.5.5[500]_
Feb 9 15:38:04 [racoon] INFO: begin Identity Protection mode._
Feb 9 15:38:04 [racoon] INFO: received Vendor ID: DPD_
Feb 9 15:38:05 [racoon] INFO: ISAKMP-SA established 2.2.2.2[500]-5.5.5.5[500] spi:f3a3a7e555bf87b5:f78f1ea459a4c8b4_
Feb 9 15:38:05 [racoon] INFO: initiate new phase 2 negotiation: 2.2.2.2[0]<=>5.5.5.5[0]_
Feb 9 15:38:05 [racoon] INFO: IPsec-SA established: ESP/Transport 5.5.5.5->2.2.2.2 spi=96593215(0x5c1e53f)_
Feb 9 15:38:05 [racoon] INFO: IPsec-SA established: ESP/Transport 2.2.2.2->5.5.5.5 spi=259250124(0xf73d7cc)_
ten seconds later the initiator got this event:
Feb 9 15:38:15 [racoon] NOTIFY: the packet is retransmitted by 5.5.5.5[500]._
--
Every successive packets generates the following events: (but no more notifies)
Feb 9 15:40:08 [racoon] INFO: initiate new phase 2 negotiation: 2.2.2.2[0]<=>5.5.5.5[0]_
Feb 9 15:40:09 [racoon] INFO: IPsec-SA established: ESP/Transport 5.5.5.5->2.2.2.2 spi=145118(0x236de)_
Feb 9 15:40:09 [racoon] INFO: IPsec-SA established: ESP/Transport 2.2.2.2->5.5.5.5 spi=48917450(0x2ea6bca)_
So it looks like phase 2 never errors out, and it never succeeds.
Clues? - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
-- Aidas Kasparas IT administrator GM Consult Group, UAB - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
