Re: IPsec vs ssh

To: John Nemeth <jnemeth%cue.bc.ca@localhost>
Subject: Re: IPsec vs ssh
From: Darren Reed <darrenr%fastmail.net@localhost>
Date: Tue, 12 Nov 2013 05:55:23 +1100

So the SPD problem was solved by changing all of the "any" fields to "icmp":


spdadd 10.1.2.254/24 10.1.3.0/24 icmp -P out ipsec 
esp/tunnel/10.1.2.254-203.33.153.28/require;
spdadd 10.1.3.0/24 10.1.2.0.254/32 icmp -P in ipsec 
esp/tunnel/203.33.153.28-10.1.2.254/require;

spdadd 203.33.153.28/32 10.1.1.0/24 icmp -P in ipsec 
esp/tunnel/203.33.153.28-10.1.2.254/require;
spdadd 10.1.1.0/24 203.33.153.28/32 icmp -P out ipsec 
esp/tunnel/10.1.2.254-203.33.153.28/require;

spdadd 10.1.3.0/24 10.1.1.0/24 icmp -P in ipsec 
esp/tunnel/203.33.153.28[4500]-10.1.2.254[4500]/require;
spdadd 10.1.1.0/24 10.1.3.0/24 icmp -P out ipsec 
esp/tunnel/10.1.2.254[4500]-203.33.153.28[4500]/require;


But I still get this from the kernel:
/netbsd: IPv4 ESP input: no key association found for spi 208200261

DEBUG: call pfkey_send_add2 (NAT flavor)
DEBUG: call pfkey_send_add2
DEBUG: pfkey add sent.
DEBUG: pk_recv: retry[0] recv()
DEBUG: got pfkey UPDATE message
DEBUG2:
[hexdump]
ERROR: pfkey UPDATE failed: No such file or directory
DEBUG: pk_recv: retry[0] recv()
DEBUG: got pfkey ADD message

and this appears to be the only smoking gun from racoon output.

Darren

References:
- Re: IPsec vs ssh
  - From: John Nemeth
- Re: IPsec vs ssh
  - From: Darren Reed

Prev by Date: Re: IPsec vs ssh
Next by Date: Re: IPsec vs ssh
Previous by Thread: Re: IPsec vs ssh
Next by Thread: Re: IPsec vs ssh
Indexes:

Home | Main Index | Thread Index | Old Index