Re: state of ipsec

From: Craig Boston <craig_at_xfoil.gank.org>
Date: Mon, 16 Feb 2004 09:29:25 -0600
On Monday 16 February 2004 6:52 am, Guido van Rooij wrote:

> IIRC IPSEC currentky has the porblem that if you happen to use require
> in your policies, even the ISAKMP packets do not gte out.
>
> I switched to FAST_IPSEC, which doesnt have this problem.
> You can of course also use "use" in stead of "require".

One workaround that solved it for me is to modify your IPSEC policy and insert 
something like this at the top:

spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out ipsec
  esp/transport//default;
spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in ipsec
  esp/transport//default;

If that's at the top before anything else, it should override the policy for 
ISAKMP packets and get things working again without having to fall back to 
'use'.  A similar entry should be possible for IPv6 as well if you need that.

On a somewhat related topic, has anyone encountered panics when the interface 
that racoon is watching is destroyed (say, gif0)?  This is on 5.2-RELEASE.  
I'll try to get a dump if it happens again...

Craig
Received on Mon Feb 16 2004 - 06:29:33 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:43 UTC