Date: Mon, 12 Aug 2002 15:48:56 -0700 From: Julian Elischer <julian@vicor.com> To: net@freebsd.org Subject: Racoon question Message-ID: <3D583B58.3A132F@vicor.com>
next in thread | raw e-mail | index | archive | help
I have a (probably silly) question about racoon.. I have racoon working to some extent. I have it working in transport mode. However I notice that if I have a problem on one system it sometimes needs to wait until the running SA has expired until things can be restarted.. For example if one system is rebooted, I need to reset the racoon on the other system and clear SAs etc. before things can resync. It occured to me that this may be because the racoons need to talk across the transport connection that is toasted so it's a catch-22. I tried setting up port 500 as an excpetion using 'none' in /etc/ipsec.conf but that seems to confuse things.. it seems unable to decide for any given connection whether to use the [500] or [any] sessions. There is no documentation as to whether one can set up a generic SA between machines A and B and then have an exception for a particular port number and protocol. If I DO put the line spdadd bla [500] bla [500] none; into the file things apparently get very confused.. If I don't, as I said, the racoons can not talk to each other until everything on both sides of the link have been reset. does anyone know whether racoon can is supposed to be able to communicate across a broken transport connection? if not then it seems to be rather useless.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D583B58.3A132F>