Subject: Re: IPSec w. IPv4 Wierdness
To: Alex Barclay <alex@tfo-consulting.com>
From: None <itojun@iijlab.net>
List: tech-net
Date: 01/02/2001 11:39:29
>Office Net ------ Cisco 2600--------------Netbsd--------Windoze
>10.2.0.0/24  10.2.2.36,63.93.241.3  24.5.71.86,10.3.3.3      10.3.3.32
>
>I first run isakmpd and I can now ping and telnet from 10.3.3.3 to all
>machines on 10.2.0.0 I now terminate isakmpd and I can still ping in the
>same manner. No SA will have expired yet..
>
>Now if I try to ping from 10.3.3.32 to 10.2.0.0 then the original ping
>stops. I just noticed something even wierder here... The ping restarts
>some time later
>64 bytes from 10.2.16.2: icmp_seq=47 ttl=254 time=200.756 ms
>64 bytes from 10.2.16.2: icmp_seq=48 ttl=254 time=205.326 ms
>64 bytes from 10.2.16.2: icmp_seq=49 ttl=254 time=217.328 ms
>64 bytes from 10.2.16.2: icmp_seq=387 ttl=254 time=264.315 ms
>64 bytes from 10.2.16.2: icmp_seq=389 ttl=254 time=243.434 ms
>64 bytes from 10.2.16.2: icmp_seq=391 ttl=254 time=292.307 ms
>64 bytes from 10.2.16.2: icmp_seq=393 ttl=254 time=240.245 ms
>
>Any timers at 340 seconds?

	i don't think so.

	if you see this symptom again, run tcpdump on outside interface
	(24.5.71.86), to see which side is having trouble.

>During the time when no ping occurs I can capture a packet trace with the
>correct incoming and outgoing spi values.

	it sounds to me that cisco side is having some trouble.  do you have
	any logs on cisco?

>63.93.241.3[any] 24.5.71.86[any] any
>        out ipsec
>        esp/tunnel/63.93.241.3-24.5.71.86/require
>        spid=25 seq=1 pid=6654
>        refcnt=1
>I'm not sure what the SPD entries for 63.93.241.3 and 24.5.71.86 are
>about. I don't see a need for a tunnel between the two. Could this be
>causing the problem?

	if you would like to protect, say, telnet session from "Netbsd"
	to "Cisco 2600", you need to have some SAD/SPD between
	63.93.241.3 and 24.5.71.86.  it can be tunnel mode or transport mode,
	it is up to you.

itojun