Re: flushing ipsec configuration

[Jim Breton <jamesb-openbsd@alongtheway.com>]

On Mon, Aug 06, 2001 at 03:11:32PM +0000, Jim Breton wrote:
> On Mon, Aug 06, 2001 at 03:20:25PM +0200, Hakan Olsson wrote:
> > If you remove and recreate the SPIs the replay protection numbers will be
> > reset. 'ipsecadm flush' removes all flows and all SPIs.
> 
> Are you sure?  I was running tcpdump on the remote end and I didn't see
> the numbers reset at all after flushing.  I had to wait for some period
> of time to pass.

OK, I must put down the crak pipe.  I just tried it a dozen times and it
worked correctly every time.

I still don't know, then, why flushing and reloading my flows and
everything caused me to lose the connection, but at the moment I can't
seem to reproduce it anymore. ;P


Meanwhile, just so I know whether or not I am wasting my time, can
anyone tell me if the following configuration is supported by IPSec:


(LAN) <-> (OBSD NAT+IPSec) <-> Internet <-> (Remote server, FBSD+IPSec)


Note that it is not symmetric, i.e., there is no "internal network" on
the remote side.  All the examples seem to cover "host-to-host" and
"lan-to-lan" configurations but I am trying to make the above work.  So
far I have been able to get _either_ the OBSD machine _or_ the internal
LAN to talk to the remote server, but not both at the same time.

Thanks.