Subject: Re: IPSec w. IPv4 Wierdness
To: Alex Barclay <>
From: None <>
List: tech-net
Date: 01/02/2001 11:39:29
>Office Net ------ Cisco 2600--------------Netbsd--------Windoze
>I first run isakmpd and I can now ping and telnet from to all
>machines on I now terminate isakmpd and I can still ping in the
>same manner. No SA will have expired yet..
>Now if I try to ping from to then the original ping
>stops. I just noticed something even wierder here... The ping restarts
>some time later
>64 bytes from icmp_seq=47 ttl=254 time=200.756 ms
>64 bytes from icmp_seq=48 ttl=254 time=205.326 ms
>64 bytes from icmp_seq=49 ttl=254 time=217.328 ms
>64 bytes from icmp_seq=387 ttl=254 time=264.315 ms
>64 bytes from icmp_seq=389 ttl=254 time=243.434 ms
>64 bytes from icmp_seq=391 ttl=254 time=292.307 ms
>64 bytes from icmp_seq=393 ttl=254 time=240.245 ms
>Any timers at 340 seconds?

	i don't think so.

	if you see this symptom again, run tcpdump on outside interface
	(, to see which side is having trouble.

>During the time when no ping occurs I can capture a packet trace with the
>correct incoming and outgoing spi values.

	it sounds to me that cisco side is having some trouble.  do you have
	any logs on cisco?

>[any][any] any
>        out ipsec
>        esp/tunnel/
>        spid=25 seq=1 pid=6654
>        refcnt=1
>I'm not sure what the SPD entries for and are
>about. I don't see a need for a tunnel between the two. Could this be
>causing the problem?

	if you would like to protect, say, telnet session from "Netbsd"
	to "Cisco 2600", you need to have some SAD/SPD between and  it can be tunnel mode or transport mode,
	it is up to you.