From owner-freebsd-current@FreeBSD.ORG  Wed Apr 23 03:16:38 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 280B937B401
	for <freebsd-current@freebsd.org>;
	Wed, 23 Apr 2003 03:16:38 -0700 (PDT)
Received: from fork.computel.sk (fork.computel.sk [195.28.96.96])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 876A743FA3
	for <freebsd-current@freebsd.org>;
	Wed, 23 Apr 2003 03:16:36 -0700 (PDT)	(envelope-from lk@tempest.sk)
Received: from lk.tempest.sk (lk.tempest.sk [195.28.100.47])
	by fork.computel.sk  with ESMTP id h3NAGZv8031620
	for <freebsd-current@freebsd.org>; Wed, 23 Apr 2003 12:16:35 +0200
Received: from lk.tempest.sk (localhost [127.0.0.1])
	by lk.tempest.sk (8.12.5/8.12.5) with ESMTP id h3NAGYrL002994;
	Wed, 23 Apr 2003 12:16:34 +0200 (CEST)
	(envelope-from koren@lk.tempest.sk)
Received: (from koren@localhost)
	by lk.tempest.sk (8.12.5/8.12.5/Submit) id h3NAGYmq002991;
	Wed, 23 Apr 2003 12:16:34 +0200 (CEST)
Date: Wed, 23 Apr 2003 12:16:34 +0200 (CEST)
Message-Id: <200304231016.h3NAGYmq002991@lk.tempest.sk>
From: Ludo Koren <lk@tempest.sk>
To: freebsd-current@freebsd.org
Subject: IPsec on FreeBSD 5.0-RELEASE-p7
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2003 10:16:38 -0000



After upgrading to FreeBSD 5.0-RELEASE-p7 (COMPAQ) #0: Sun Apr 20
21:50:49 CEST 2003 IPsec stopped working.

I have the following options in the kernel configuration:

options         IPSEC                   #IP security
options         IPSEC_ESP               #IP security (crypto; define w/ IPSEC)
options         IPSEC_DEBUG             #debug for IP security

and the IPsec configuration was working with FreeBSD 4.6:

#! /bin/sh

/sbin/ifconfig gif0 create tunnel 195.28.126.7 195.91.63.194
/usr/sbin/gifconfig gif0 inet 195.28.126.7 195.91.63.194
/sbin/ifconfig gif0 inet x.x.x.x netmask 255.255.255.255 y.y.y.0 netmask 255.255.255.0 up

/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF

spdadd x.x.x.x/32 y.y.y.0/24 any -P out ipsec esp/tunnel/195.28.126.7-195.91.63.194/require;
spdadd y.y.y.0/24 x.x.x.x/32 any -P in ipsec esp/tunnel/195.91.63.194-195.28.126.7/require;

EOF

/sbin/route add -net y.y.y.0 x.x.x.x 255.255.255.0 -iface
/usr/local/sbin/racoon


I can see via tcpdump on fxp0, ESP packets are going to the
destination and back. But unfortunately, ping doesn't get the
response. It seems, packets do not come back through gif0 interface,
though tcpdump on fxp0 interface get them.

Any hint is appreciated.

Thanks,

ludo