Thanks Brian, I understand. Also your solution was helpful. I will try not to place any issues that are not related to ipsec-tool package.
Sorry for the inconvenience, and thank you so much for your help.

On 2/23/06, Brian Candler <> wrote:
Well, I'm getting a bit tired of this now. This will be my last reply.

>    ftp using tcpdump, I dont see any encryption( I am expecting ftp
>    packet to be encrypted here since I am using port 21)..instead, I see
>    just like a regular ftp packet as follows :
>    IP > P 1:32(31) ack 1 win 49232
                    ^^^                ^^^^^

actual packet
source port: 21
destination port: 32806

>    spdadd[21][21] any -P out ipsec
>    esp/transport//require;
>    spdadd[21][21] any -P in ipsec
>    esp/transport//require;

policy definition
source port: 21
destination port: 21

Spot the mismatch?

Let me say the following, as I think far too much noise has been generated
on this thread over the last few weeks.

This list is for the development of the *ipsec-tools* software package,
which implements Internet Key Exchange (IKE). This means that:

(1) Any questions about Solaris IPSEC configuration are *off topic* for this
list. Try the sun-managers list.

(2) Any questions about manual keying are *off topic* for this list. Try the
KAME list, or a Linux networking list.

Whilst some general IPSEC discussion does take place here, and also it is
reasonable to ask for help debugging *key exchange* problems between
ipsec-tools and some other IKE implementation, we can't sit here all day and
attempt to build your solution for you, especially when that solution does
not involve ipsec-tools at all. I think there comes a point where you have
to do your own research - sorry.

Of course, I can't speak on behalf of any other member of this list. But if
anyone disagrees with me, I'm more than happy for them to answer your
questions for you. I won't any more.



Rafiqul Ahsan                630-717-1698(h)
2120 Periwinkle Ln         630-689-1457(h)
Naperville, IL 60540        847-812-6176(c)