Following up on my own post with some new information and puzzler: On Thu, Jul 17, 2008, Bill Campbell wrote: >On Thu, Jul 17, 2008, Timothy Selivanow wrote: ... > >After letting things sit overnight, and seeing ``IPsec-SA >expired'' messages in /var/log/messages, I tried again this >afternoon. without success. There are some things that seem >noteworthy to me. > > 1. There was no traffic between the machines until I started ``tcpdump'' > on one, at which time it initiated the handshaking with the machine > here (one machine is here on M.I. the other in Kansas City). > > 2. When racoon starts, there is a message in /var/log/messages, > ``racoon: ERROR: racoon: MLS support is not enabled''. I haven't > been able to figure out what that means. > > 3. The Kansas City machine is running kernel 2.6.18-53.1.14.el5 SMP, > x86_64. > > 4. The M.I. machine is running 2.6.18-53.1.21.el5PAE SMP i686... > > 5. The M.I. machine hosts several VMware virtual machines so both its > NICs are in promiscuous mode. I tried setting up a different machine here on M.I. to connect, changed the remote IP on the Kansas City machine, and am able to create a tunnel, ping, and ssh from M.I. to K.C., but cannot do any of these from K.C. to M.I. There are *NO* iptables rules on either machine at present. To the best of my knowledge there are no IP filters between the Internet and these machines. The one in K.C. is a DSL modem on a /29 net block while the connection here is via an Integra/Eschelon Adtran channel bank to a T1 to our 192.136.111.0/24 block. I cannot understand how a connection works one way, but not the other on what is supposed to be symmetric. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Things in our country run in spite of government. Not by aid of it! Will Rogers