tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh



So the SPD problem was solved by changing all of the "any" fields to "icmp":


spdadd 10.1.2.254/24 10.1.3.0/24 icmp -P out ipsec 
esp/tunnel/10.1.2.254-203.33.153.28/require;
spdadd 10.1.3.0/24 10.1.2.0.254/32 icmp -P in ipsec 
esp/tunnel/203.33.153.28-10.1.2.254/require;

spdadd 203.33.153.28/32 10.1.1.0/24 icmp -P in ipsec 
esp/tunnel/203.33.153.28-10.1.2.254/require;
spdadd 10.1.1.0/24 203.33.153.28/32 icmp -P out ipsec 
esp/tunnel/10.1.2.254-203.33.153.28/require;

spdadd 10.1.3.0/24 10.1.1.0/24 icmp -P in ipsec 
esp/tunnel/203.33.153.28[4500]-10.1.2.254[4500]/require;
spdadd 10.1.1.0/24 10.1.3.0/24 icmp -P out ipsec 
esp/tunnel/10.1.2.254[4500]-203.33.153.28[4500]/require;


But I still get this from the kernel:
/netbsd: IPv4 ESP input: no key association found for spi 208200261

DEBUG: call pfkey_send_add2 (NAT flavor)
DEBUG: call pfkey_send_add2
DEBUG: pfkey add sent.
DEBUG: pk_recv: retry[0] recv()
DEBUG: got pfkey UPDATE message
DEBUG2:
[hexdump]
ERROR: pfkey UPDATE failed: No such file or directory
DEBUG: pk_recv: retry[0] recv()
DEBUG: got pfkey ADD message

and this appears to be the only smoking gun from racoon output.

Darren



Home | Main Index | Thread Index | Old Index