On Thu, 28 Dec 2000, Matt Bell wrote:

> Hi,
> 
> I dont know if you guys found an answer to this problem or its still not 
> solved,
> but i think im experiencing similar symptoms.
> 
>                 IP=10.0.1.1                                   IP=10.0.0.1 
>                   IP=10.0.0.5
> --------------[NetBSD-1.5]---------------------------------------[NetBSD-1.5N]---------[NetBSD-1.5N]
>   10.0.1.0/24            A/32         Internet              B/32 
>    10.0.0.0/24
> 
> 
> I can ping anything on the 10.0.1.0 net from 10.0.0.1 also i can ping 
> anything on
> the 10.0.1.0 net from 10.0.0.5, but once i cancel the first ping or try to 
> start another
> ping the 10.0.1.0 net becomes unpingable.
> 
> Any Ideas?


I did find the problem. It seems that the inbound ipsec packets are
subject to filtering. It's kind of interesting because it looks like the
esp packet is passed through the filter rules then the unpacked packet is
passed back through the filter rules.

Anyway I now have the basic system working although there seems to be the
occasional hang as keys are renegotiated thouch nothing I can put my
finger on.

I can publish the netbsd configs and the cisco configs. NetBSD version is
1.5K and the IOS version is 12.0(7)T, JS load on a 2611.

The basic problem with the pings is that the second stopped everything
because the sequence numbers on the esp packets got screwed up when the
filtering ocurred.

Need any further help then I can send you the configs. The only other
problem is that the cisco router offers some weird isakmp exchange.
isakmpd correctly rejects the exchange but cisco incorrectly fails to back
off the the standard exchanges only. This behaviour only occurs when the
cisco router is providing dynamic addresses.

I have so far failed to get details of the cisco exchange that is blowing
up either of cco or as an internet draft.

I'd also love to try racoon for the isakmp negotiation but I found the
documentation virtually non-existant and what there was didn't match the
current version.

Given you have netbsd at each end are you trying static keying or key
exchange mechanisms? If filtering is turned on then try to briefly turn it
off. My machine is also running NAT for non tunneled addresses.

A.