[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: photurisd dies



On Sat, Sep 19, 1998 at 10:52:22AM -0400, Niels Provos wrote:
>
> > Now I have a couple of hosts with ipsec enabled and photuris daemons
> > talking to each other (alpha station 200 and an old i486 pc).
> > And I cannot even ping one host from the other.
> Perhaps you should compile photurisd with -DDEBUG and send the output.
> What does /kern/ipsec and netstat -rn say?
>
   IMHO, now photurisd does it's job quite well:
	`netstat -rn' shows added spi's on both hosts
	`/kern/ipsec' displays the same spi's (among others)
 All photurisd configuration files at all these hosts are symmetric
 (produced by simple substition (cyclic rotation) of host names  in the group).
 The problem appears to be in alpha-specific part of the code (64-specific?).
 I've managed to start ipsec-enabled pmax kernel (it keeps crashing like m$ nt
 and remaps all scsi hard disks: rz1 -> rz2, rz2 -> rz4, and so on, however)
 and I had some time to find out that:
   1. first time pmax photurisd started, alpha station crashed (!)
   2. after reboot it didn't establish ipsec keys but after manual intervention
      (startkey) it did and then it talked neither to i386 nor to pmax,
   3. but pmax and i386 communicated quite successfully
 Having enabled `net.ipsec.encap.encdebug' I got the following in `messages'
 syslog file of i386 host while pinging it from alpha station:
|
| Sep 20 00:19:59 zeus /bsd: ah_new_input(): authentication failed for packet from 66a1bec2 to 37a1bec2, spi 7ccf1be2
| Sep 20 00:19:59 zeus /bsd: ah_input(): authentication failed for AH packet from 66a1bec2 to 37a1bec2, spi 7ccf1be2
|
   This gives me no clue, but maybe it would be usefull for some guru?

   Greetings,

      Wasilx.

Visit your host, monkey.org