Peter Haight wrote:
Looks like the 'spi' are out of sync on the 2 machines. This is after a quick glance, but I know on my IPSec setup, (with manual keys), the spi's have to be such:
Stable in spi == Release out spi
Release in spi == Stable out spi
Are you using racoon? If not, post your ipsec script.
Here you go:
This is ok on one machine. Copy the script to the other machine, and swap out all of the 'local' variables with the values of the 'remote' variables and vise versa. This will allow the keys to be configured correctly. If this still does not work, let me know. I wrote a perl program that will automatically configure a vpn tunnel for you, and it produces 2 scripts. One for localhost and the other for remote host. It works for me every time.
local_ip="XX.XX.XX.XX"
local_net_ip="10.10.1.1"
local_net_prefixlen="24"
remote_ip="YY.YY.YY.YY"
remote_net_ip="192.168.1.1"
remote_net_prefixlen="12"
remote_net_netmask="255.255.0.0"
ifconfig gif0 create
ifconfig gif0 tunnel ${local_ip} ${remote_ip}
ifconfig gif0 inet ${local_net_ip} ${remote_net_ip} netmask ${remote_net_netmask}
setkey -c << EOF
flush;
spdflush;
add XX.XX.XX.XX YY.YY.YY.YY esp 9991 -E blowfish-cbc "foobar";
add YY.YY.YY.YY XX.XX.XX.XX esp 9992 -E blowfish-cbc "foobar";
spdadd ${local_net_ip}/${local_net_prefixlen} ${remote_net_ip}/${remote_net_prefixlen} any -P out ipsec
esp/tunnel/${local_ip}-${remote_ip}/require; spdadd ${remote_net_ip}/${remote_net_prefixlen}
${local_net_ip}/${local_net_prefixlen} any -P in ipsec esp/tunnel/${remote_ip}-${local_ip}/require;
EOF
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Steve
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
