I just upgraded a ThinkPad 600E from RELENG_5_1 to RELENG_5_2. I seem to be having trouble with my IKE deamon, racoon(8), but I don't think the problem is with racoon(8), but it may be the FreeBSD KAME IPsec implementation. I had had IPsec, with racoon(8) as the IKE daemon, running great under 5.1. When I upgraded to 5.2RC, it no longer functioned. I thought it may be a compatibility issue, so to eliminate the possibility, I deinstalled, rebuilt on the 5.2RC system, and reinstalled (just used 'portupgrade -f'). That did not help. IPsec does work, however. When I manually load up the SAD with setkey(8), the ESP tunnel comes up and everything is fine. I think the problem is that the IKE traffic, 500/udp, is not bypassing the IPsec processing like it should. For example, I try to ping a host for wwhich the SPD requires an ESP tunnel. Racoon(8)'s log reports that we are trying to start Phase 1 ISAKMP. However, if I snoop the wire, no packets are leaving the machine, nor do any counters in the ipfw(8) output increment as they should for 500/udp traffic. But the way the 'netstat -s -p ipsec' line, 'outbound packets with no SA available,' increments is consistent with the packets getting dropped there. (I should note that the traffic to the other end of the IPsec tunnel would also go through the tunnel according to the SPD.) Anyone else seeing this? -- Crist J. Clark | cjclark_at_alum.mit.edu | cjclark_at_jhu.edu http://people.freebsd.org/~cjc/ | cjc_at_freebsd.orgReceived on Thu Dec 18 2003 - 21:49:37 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:34 UTC