On 09/05/2018 10:06, peter.b...@bsd4all.org wrote:
Andrey,
I was planning to move towards Strongswan anyway. The 1st step (with 1
interface worked great)
Julian,
The idea of having a jail as VPN end-point is going to help me
transition step by step and possibly have both racoon and strongsw
Hi,
I have mixed types of configurations. I’ll give it a run next week.
So far I have tried a tunnel with if_ipsec and strongswan at one end and gif
and racoon at the other end. I have tried if_ipsec with strongswan on both ends.
I’ll start with recompiling racoon today and using it to see if i
On 08.05.2018 16:51, Andrey V. Elsukov wrote:
> I think for proper support of several if_ipsec interfaces racoon needs
> some patches. But I have not spare time to do this job.
> I recommend to use strongswan, it has active developers that are
> responsive and may give some help at least.
Hi,
Tod
Andrey,
I was planning to move towards Strongswan anyway. The 1st step (with 1
interface worked great)
Julian,
The idea of having a jail as VPN end-point is going to help me transition step
by step and possibly have both racoon and strongswan active.
Thx,
Peter
> On 9 May 2018, at 03:08, Ju
On 8/5/18 9:51 pm, Andrey V. Elsukov wrote:
On 08.05.2018 14:03, peter.b...@bsd4all.org wrote:
Hi Victor,
I’m struggling wit the same issue. My sainfo doesn’t match unless I
use anonymous.
Hi Andrey,
What I don’t understand is why a “catchall” policy is added instead
of the policy that matche
On 08.05.2018 14:03, peter.b...@bsd4all.org wrote:
> Hi Victor,
>
> I’m struggling wit the same issue. My sainfo doesn’t match unless I
> use anonymous.
>
> Hi Andrey,
>
> What I don’t understand is why a “catchall” policy is added instead
> of the policy that matches the inner tunnel.
This is
Hi Victor,
I’m struggling wit the same issue. My sainfo doesn’t match unless I use
anonymous.
Hi Andrey,
What I don’t understand is why a “catchall” policy is added instead of the
policy that matches the inner tunnel.
What is supposed to happen here? Is the IKE daemon supposed to update the
On 23/04/2018 15:43, Andrey V. Elsukov wrote:
Your security associations doesn't match your security policies.
Probably you did interfaces reconfiguration without clearing old SAs.
I think your configuration will work, if you first will done if_ipsec(4)
configuration, then start racoon and it w
On 23.04.2018 15:10, Victor Gamov wrote:
> # setkey -D
> =
> __FreeBSD_IP__ __Cisco_30__
> esp mode=tunnel spi=2124688285(0x7ea42b9d) reqid=26(0x001a)
This must be 30 ^^^
> __FreeBSD_IP__ __Cisco_25__
> esp mode=tunnel spi=153891647(0x092c333f)
On 23/04/2018 14:13, Andrey V. Elsukov wrote:
On 21.04.2018 19:16, Victor Gamov wrote:
When I change ipsec-interfaces creation order then only last created
interface worked fine again and previously configured interfaces does
not work.
And very interesting fact: when I ping from remote 10.10.9
On 21.04.2018 19:16, Victor Gamov wrote:
> When I change ipsec-interfaces creation order then only last created
> interface worked fine again and previously configured interfaces does
> not work.
>
>
> And very interesting fact: when I ping from remote 10.10.98.5 for
> example to FreeBSD 10.10.98
On 20/04/2018 19:42, Andrey V. Elsukov wrote:
On 20.04.2018 18:48, Victor Gamov wrote:
More correct problem is: last configured ipsec interface tx/rx traffic
only. For my example:
- ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK
- ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK
-
On 20.04.2018 18:48, Victor Gamov wrote:
> More correct problem is: last configured ipsec interface tx/rx traffic
> only. For my example:
>
> - ping from 10.10.98.1 to 10.10.98.2 via ipsec30 is OK
>
> - ping from 10.10.98.2 to 10.10.98.1 via ipsec30 is OK
>
> - ping from 10.10.98.5 (Cisco) to
On 20/04/2018 13:04, Andrey V. Elsukov wrote:
On 20.04.2018 11:17, Victor Gamov wrote:
All local SA configured and established and remote side (Cisco routers)
report SA established too.
But traffic goes via only one ipsec-interface.
If you have all SAs established, you probably need to check
On 20.04.2018 11:17, Victor Gamov wrote:
> All local SA configured and established and remote side (Cisco routers)
> report SA established too.
>
> But traffic goes via only one ipsec-interface.
If you have all SAs established, you probably need to check your routing
configuration. Or at least te
15 matches
Mail list logo
