IPSec woes coming from OpenBSD to Free
chris.benesch at gmail.com
Sat Jul 7 00:40:08 UTC 2012
Yeah the whole GIF interface thing seemed weird to me too. I'm in much the
same situation I'm connecting to a Watchguard device, similar to the router
I guess you are hooking to.
I did get it to start trying to send, using the ping command. Never
thought I had to kick start the data going to it to get it to connect, but
I guess I do.
So now I have another problem
2012-07-07 00:16:02: INFO: initiate new phase 1 negotiation:
2012-07-07 00:16:02: INFO: begin Identity Protection mode.
2012-07-07 00:16:02: DEBUG: new cookie:
2012-07-07 00:16:02: DEBUG: add payload of len 52, next type 13
2012-07-07 00:16:02: DEBUG: add payload of len 16, next type 0
2012-07-07 00:16:02: ERROR: *phase1 negotiation failed due to send error.
2012-07-07 00:16:02: ERROR: failed to begin ipsec sa negotication.
I think I know what it is though, I recompiled the kernel with just option
IPSEC the first time and I got an error about unable to set a flag on the
rl0 interface, so I found out if you add option IPSEC_NAT_T in there the
error goes away. So I am recompiling the kernel with just IPSEC. I'll let
you know how it works after its done. It takes awhile, its an old Pentium
4 machine with 400 M of ram and a laptop. The AMD 6 core w/16 G ram I hope
one day to set up to run FreeBSD will be much nicer.
More information about the freebsd-net