FreeBSD <-> Windows XP IPSec Phase 1 Timeout

Arcadiy Ivanov arcivanov at mail.ru
Wed Nov 30 15:17:01 GMT 2005 

Well, unfortunately it is not the problem - all systems on the network are
synchronized via NTP from a common source, thus at least in this test
environment clock sync shouldn't be an issue.
----- Original Message ----- 
From: <"."@babolo.ru>
To: "Arcadiy Ivanov" <arcivanov at mail.ru>
Cc: <freebsd-net at freebsd.org>
Sent: Wednesday, November 30, 2005 03:47 AM
Subject: Re: FreeBSD <-> Windows XP IPSec Phase 1 Timeout


>
> I am not expert in this, but I had similar
> problems in different environment when clocks
> was not synchronized exactly on both tunnel ends.
>
>> Dear everybody,
>>
>> I have a following problem which you might help me solve. I'm running a
>> FreeBSD 6.0 box as a gateway with Windows XP road warrior clients VPNing
>> in.
>> In order to setup secure access I want to use IPSec for traffic
>> encryption
>> with the plain-text PPTP for tunneling. Windows XP IPSec policy is
>> configured to ESP everything coming in and out of TCP port 1723 and GRE
>> and
>> same stands for FreeBSD box. Now here is a problem. Upon initiating PPTP
>> dial-up connection from XP the IPSec negotiations start normally, both
>> client and server agree on encryption & hashing standards successfully.
>> But
>> as soon as they do agree, all communications timeout. Tcpdump on FreeBSD
>> box
>> and Etherpeek on Windows should the IPSec packets being delivered to both
>> machines, but both client and server behave as if packets were not
>> delivered
>> at all and obviously timeout. I do have PF firewall on the gateway but
>> the
>> result is the same for firewall being off or on or even not loaded into
>> kernel. I have used racoon, isakmp and ipsec-tools racoon and the results
>> are EXACTLY the same up to the corresponding lines in the logs - as soon
>> as
>> encryption policies are successfully negotiated and both clients switch
>> to
>> secure communication mode they lose sight of each other and both timeout.
>> I
>> of course understand that the logs are necessary and I'm ready to provide
>> them if anybody is interested to help me solve the problem, but I'm
>> hoping
>> that somebody had this problem and knows the solutions off the top of
>> his/her head.
>>
>> Thanks a lot,
>> Arcadiy
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list