On Sat, May 12, 2007 at 05:10:12AM -0700, UNIX admin wrote: > > Snooping traffic, I see the laptop sending ESP packets to the FW, but I get > nothing back. I'm going to need more information. Much more.
As will we. Tell me, if you're using IKE how are you seeing ESP packets? *Something* must be working - either that, or you're manually-keying w/o telling us. (And manually keying with NAT-Traversal is damned annoying to get right.) > Which files was I supposed to modify? I modified /etc/hostname.ip.tun0 with > the above parameters (encr_algs aes encr_auth_algs sha1), like so: > /etc/hostname.ip.tun0: > ###.BBB.2.1/16 ###.BBB.2.2 tsrc ###.AAA.2.1 tdst ###.AAA.2.2 encr_algs aes > encr_auth_algs sha1 up > > Where "AAA" = n, and "BBB" = n + 1. Do you have tsrc set to your local ethernet/etc. interface's address and tdst set to the peer's IP address? That's not clear from what you're showing us. > Looks like I also need to modify /etc/inet/ike/config? What did I miss? > What needs to be in there to support the above combination? Like I said, if you're seeing "ESP", then I'm curious if you're using IKE at all or not. tsrc/tdst should be set like I said. If there's a NAT in the way, the non-NAT-ted side should have tdst set to the peer's *public* IP address, and the NAT-ted side should have tsrc set to the LOCAL IP address. Dan
