Subject: Re: IPSec w. IPv4 Wierdness
To: Alex Barclay <firstname.lastname@example.org>
From: None <email@example.com>
Date: 01/02/2001 11:39:29
>Office Net ------ Cisco 2600--------------Netbsd--------Windoze
>10.2.0.0/24 10.2.2.36,22.214.171.124 126.96.36.199,10.3.3.3 10.3.3.32
>I first run isakmpd and I can now ping and telnet from 10.3.3.3 to all
>machines on 10.2.0.0 I now terminate isakmpd and I can still ping in the
>same manner. No SA will have expired yet..
>Now if I try to ping from 10.3.3.32 to 10.2.0.0 then the original ping
>stops. I just noticed something even wierder here... The ping restarts
>some time later
>64 bytes from 10.2.16.2: icmp_seq=47 ttl=254 time=200.756 ms
>64 bytes from 10.2.16.2: icmp_seq=48 ttl=254 time=205.326 ms
>64 bytes from 10.2.16.2: icmp_seq=49 ttl=254 time=217.328 ms
>64 bytes from 10.2.16.2: icmp_seq=387 ttl=254 time=264.315 ms
>64 bytes from 10.2.16.2: icmp_seq=389 ttl=254 time=243.434 ms
>64 bytes from 10.2.16.2: icmp_seq=391 ttl=254 time=292.307 ms
>64 bytes from 10.2.16.2: icmp_seq=393 ttl=254 time=240.245 ms
>Any timers at 340 seconds?
i don't think so.
if you see this symptom again, run tcpdump on outside interface
(188.8.131.52), to see which side is having trouble.
>During the time when no ping occurs I can capture a packet trace with the
>correct incoming and outgoing spi values.
it sounds to me that cisco side is having some trouble. do you have
any logs on cisco?
>184.108.40.206[any] 220.127.116.11[any] any
> out ipsec
> spid=25 seq=1 pid=6654
>I'm not sure what the SPD entries for 18.104.22.168 and 22.214.171.124 are
>about. I don't see a need for a tunnel between the two. Could this be
>causing the problem?
if you would like to protect, say, telnet session from "Netbsd"
to "Cisco 2600", you need to have some SAD/SPD between
126.96.36.199 and 188.8.131.52. it can be tunnel mode or transport mode,
it is up to you.