tech-net: Re: IPSec w. IPv4 Wierdness

Subject: Re: IPSec w. IPv4 Wierdness
To: Alex Barclay <alex@tfo-consulting.com>
From: Matt Bell <mtbell@mb1.micropede.com>
List: tech-net
Date: 12/28/2000 20:54:28
Hi,

I dont know if you guys found an answer to this problem or its still not 
solved,
but i think im experiencing similar symptoms.

                IP=10.0.1.1                                   IP=10.0.0.1 
                  IP=10.0.0.5
--------------[NetBSD-1.5]---------------------------------------[NetBSD-1.5N]---------[NetBSD-1.5N]
  10.0.1.0/24            A/32         Internet              B/32 
   10.0.0.0/24


I can ping anything on the 10.0.1.0 net from 10.0.0.1 also i can ping 
anything on
the 10.0.1.0 net from 10.0.0.5, but once i cancel the first ping or try to 
start another
ping the 10.0.1.0 net becomes unpingable.

Any Ideas?
-Matt


At 01:49 PM 12/9/2000 -0700, Alex Barclay wrote:
>Hi all
>
>I'm seeing a really strange problem with IPSec.
>
>I'm trying to set up a tunnel mode connection from my home to my office.
>
>At the office there is a Cicso router running an IPSec build of IOS 12.0
>
>Behind both my netbsd mahine and the router there are entire networks
>
>
>
>---------[cisco]--------------------------------[netbsd]-----------
>10.2.0.0/16     A/32     Internet           B/32         10.3.3.0/24
>
>I'm also using the openbsd isakmpd from pkgsrc with a pre-shared key.
>
>The SA's are negotiated correctly and from the netbsd machine I can ping
>the internal address of the cisco router and anything else on the 10.2
>net.
>
>Now for the strange bit.
>
>So I leave the ping running between B and an address on the 10.2 net.
>Everything is happy.
>
> >From a different machine on the 10.3.3 I start a ping to the same address
>on the 10.2 net.
>
>This new ping fails, the original ping stops!
>
>isakmpd has not renegotiated the keys (I set the renegotiate time to 1hr)
>
>A tcpdump on port B shows both ping packets are leaving the netbsd machine
>as ESP towards the internet. I also see both pings returning as ESP
>packets from the cisco router. I suspect based on this behaviour that the
>cisco end is operating correctly.
>
>Neither of the pings get back to user space on the netbsd machine or out
>to the 10.3.3.0 network.
>
>I can stop isakmpd, clear out the SAD and SPD, then restart isakmpd and
>can then repeat the experiment.
>
>The triggering factor seems to be starting the ping from the second
>machine on 10.3.3
>
>Any suggestions as to what to look at next?
>
>A.