Hi all

I'm seeing a really strange problem with IPSec.

I'm trying to set up a tunnel mode connection from my home to my office.

At the office there is a Cicso router running an IPSec build of IOS 12.0

Behind both my netbsd mahine and the router there are entire networks



---------[cisco]--------------------------------[netbsd]-----------
10.2.0.0/16     A/32     Internet           B/32         10.3.3.0/24

I'm also using the openbsd isakmpd from pkgsrc with a pre-shared key.

The SA's are negotiated correctly and from the netbsd machine I can ping
the internal address of the cisco router and anything else on the 10.2
net.

Now for the strange bit.

So I leave the ping running between B and an address on the 10.2 net.
Everything is happy.

From a different machine on the 10.3.3 I start a ping to the same address
on the 10.2 net.

This new ping fails, the original ping stops!

isakmpd has not renegotiated the keys (I set the renegotiate time to 1hr)

A tcpdump on port B shows both ping packets are leaving the netbsd machine
as ESP towards the internet. I also see both pings returning as ESP
packets from the cisco router. I suspect based on this behaviour that the
cisco end is operating correctly.

Neither of the pings get back to user space on the netbsd machine or out
to the 10.3.3.0 network.

I can stop isakmpd, clear out the SAD and SPD, then restart isakmpd and
can then repeat the experiment.

The triggering factor seems to be starting the ping from the second
machine on 10.3.3

Any suggestions as to what to look at next?

A.