I am using the following setkey rules, and the mirror on the other system. spdadd 192.168.50.45 192.168.50.211[22] tcp -P out none; spdadd 192.168.50.211[22] 192.168.50.45 tcp -P in none; spdadd 192.168.50.45 192.168.50.211 any -P out ipsec esp/transport//require ah/transport//require; spdadd 192.168.50.211 192.168.50.45 any -P in ipsec esp/transport//require ah/transport//require; Ssh works fine between the systems, but attempts to establish any other connection fail with the following messages on the destination system. May 3 09:44:53 gtway2 racoon: INFO: respond new phase 1 negotiation: 192.168.50.211[500]<=>192.168.50.45[500] May 3 09:44:53 gtway2 racoon: INFO: begin Identity Protection mode. May 3 09:44:53 gtway2 racoon: INFO: ISAKMP-SA established 192.168.50.211[500]-192.168.50.45[500] spi:59eb21f5b7639c24:750588e6931651bb May 3 09:44:54 gtway2 racoon: INFO: respond new phase 2 negotiation: 192.168.50.211[0]<=>192.168.50.45[0] May 3 09:44:54 gtway2 racoon: ERROR: policy found, but no IPsec required: 192.168.50.211/32[0] 192.168.50.45/32[0] proto=any dir=out May 3 09:44:54 gtway2 racoon: ERROR: failed to get proposal for responder. May 3 09:44:54 gtway2 racoon: ERROR: failed to pre-process packet. If I remove the first two rules on both systems and make all traffic between the 2 systems use ipsec, then everything works fine. I have googled for this problem, but see mainly old reports from BSD but can see no solution. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
