On Thu, Dec 18, 2003 at 10:49:32PM -0800, Crist J. Clark wrote: > I just upgraded a ThinkPad 600E from RELENG_5_1 to RELENG_5_2. I seem > to be having trouble with my IKE deamon, racoon(8), but I don't think > the problem is with racoon(8), but it may be the FreeBSD KAME IPsec > implementation. <snip> > > I think the problem is that the IKE traffic, 500/udp, is not bypassing > the IPsec processing like it should. For example, I try to ping a host > for wwhich the SPD requires an ESP tunnel. Racoon(8)'s log reports > that we are trying to start Phase 1 ISAKMP. However, if I snoop the > wire, no packets are leaving the machine, nor do any counters in the > ipfw(8) output increment as they should for 500/udp traffic. But the > way the 'netstat -s -p ipsec' line, 'outbound packets with no SA > available,' increments is consistent with the packets getting dropped > there. (I should note that the traffic to the other end of the IPsec > tunnel would also go through the tunnel according to the SPD.) > > Anyone else seeing this? I am seeing exactly the same thing trying to set up ipsec between two recent -current boxes, and have been for quite some time. I've come to the same conclusion as you. The only difference in my setup is that I've got no firewalling at all. Some other interesting facts, probably supporting the above - if I set the ipsec level to use rather than require, things work fine (but some traffic goes over unencrypted, as expected) - the same rules/configuration works when both machines are running debian linux (there is a kame/racoon backport in their kernel)Received on Fri Dec 19 2003 - 00:23:23 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:34 UTC