<br><br><div class="gmail_quote">On Fri, Jul 29, 2011 at 6:36 AM, John Elliot <span dir="ltr"><<a href="mailto:jj5@jj5.net">jj5@jj5.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I've restarted /etc/init.d/setkey after making changes to these files. I'm running tcpdump on Hope, and I SSH from Charity to Hope and see the following in the tcpdump logs:<br>
<br>
 � �18:46:11.218238 IP <a href="http://charity.progclub.org" target="_blank">charity.progclub.org</a> > hope: AH(spi=0x00000200,seq=0x40): ESP(spi=0x00000201,seq=0x40), length 64<br>
 � �18:46:11.218361 IP hope > <a href="http://charity.progclub.org" target="_blank">charity.progclub.org</a>: AH(spi=0x00000300,seq=0x22): ESP(spi=0x00000301,seq=0x22), length 64<br>
 � �18:46:11.218822 IP <a href="http://charity.progclub.org" target="_blank">charity.progclub.org</a> > hope: AH(spi=0x00000200,seq=0x41): ESP(spi=0x00000201,seq=0x41), length 56<br>
 � �18:46:11.232615 IP hope > <a href="http://charity.progclub.org" target="_blank">charity.progclub.org</a>: AH(spi=0x00000300,seq=0x23): ESP(spi=0x00000301,seq=0x23), length 96<br>
 � �18:46:11.233099 IP <a href="http://charity.progclub.org" target="_blank">charity.progclub.org</a> > hope: AH(spi=0x00000200,seq=0x42): ESP(spi=0x00000201,seq=0x42), length 56<br>
 � �18:46:11.233205 IP <a href="http://charity.progclub.org" target="_blank">charity.progclub.org</a> > hope: AH(spi=0x00000200,seq=0x43): ESP(spi=0x00000201,seq=0x43), length 96<br>
<br>
However, the SSH session just hangs there and "nothing happens". I have to press Ctrl+C to cancel out of the attempted SSH connection.<br>
<br></blockquote></div><br>Can you ping? What are your configured routes?<br><br>These [1,2] may be of use... in particular, netstat should indicate packet counts on each interface<br><br>[1] <a href="http://www.netbsd.org/docs/network/ipsec/#pitfalls">http://www.netbsd.org/docs/network/ipsec/#pitfalls</a><br>
[2] <a href="http://ipsec-tools.sourceforge.net/checklist.html">http://ipsec-tools.sourceforge.net/checklist.html</a><br><br>I would also temporarily disable IP Tables to see if an empty policy makes any difference, at least to rule that out.<br>
<br>Cheers,<br><br>Nigel<br><br><br>