Frank Wille <frank%phoenix.owl.de@localhost> writes: >> What does a "setkey -aD" output? > No SAD entries. And no SPD entries either. > I guess they would be added by the phase1-up script...? In my experience, SPD entries are added outside of racoon to tell the kernel that certain traffic should have IPsec protection. I don't understand how in your setup that's supposed to work, or what is triggering racoon to start the negotiation. > Looking at the tcpdump I wonder why the NetBSD client says it is exchanging > "isakmp: phase 2" packets, while the Lancom still calls these isakmp > notifies "Phase-1 SA"? > > IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer > VPNCLIENT15EF90, sequence nr 0x7a8b3f4b I think this is ok. I have not read the specs in a long time, but I think that notifications (INITIAL_CONTACT, DPD, etc.) are sent as phase 2 other messages (meaning they are protected in the phase 1 SA), but are considered control messages about the phase 1 SA. Other phase 2 messages are used to create a phase 2 SA, which is loaded into the kernel, and then data flows over that. So I don't think the 1/2 terminology difference about notifies is a problem.
Attachment:
signature.asc
Description: PGP signature