I read the flying racoons articles with great interest and I’ve been trying to test them out myself. I’ve got a pair of Macs running 10.2.1, and have just tried to set up a simple transport connection between them with this sort of setup:
spdadd 10.10.50.129/32 10.10.50.186/32 any -P out ipsec esp/transport/10.10.50.129-10.10.50.186/require;
spdadd 10.10.50.186/32 10.10.50.129/32 any -P in ipsec esp/transport/10.10.50.186-10.10.50.129/require;
I’ve also got the racoons up and running on both machines.
When I try to connect from one to the other, after running the setkey commands above, I can’t get any packets to go out on the wire (watching with tcpdump). I can’t even ping the other machine (if I run ‘setkey -FP’ everything goes back to normal and I can ping again). I noticed in ‘netstat -s’ the following that seems to shed some light:
ipsec:
0 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
0 outbound packets processed successfully
0 outbound packets violated process security policy
[color=red:332b9dc311]576 outbound packets with no SA available[/color:332b9dc311]
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
Anyone know what that might mean, and what is causing it?
.
.
Comments are closed