From owner-freebsd-current@FreeBSD.ORG  Sun Dec 21 20:18:10 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 51B1616A4CE
	for <current@freebsd.org>; Sun, 21 Dec 2003 20:18:10 -0800 (PST)
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E6DB943D3F
	for <current@freebsd.org>; Sun, 21 Dec 2003 20:18:08 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(c-24-6-186-224.client.comcast.net[24.6.186.224])
	by comcast.net (rwcrmhc13) with ESMTP
	id <2003122204180801500k40o2e>; Mon, 22 Dec 2003 04:18:08 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hBM4I743018933;
	Sun, 21 Dec 2003 20:18:07 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hBM4I224018932;
	Sun, 21 Dec 2003 20:18:02 -0800 (PST)
	(envelope-from cristjc@comcast.net)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Sun, 21 Dec 2003 20:18:01 -0800
From: "Crist J. Clark" <cristjc@comcast.net>
To: Nathan Kay <mcnate@numenor.net>
Message-ID: <20031222041801.GA18856@blossom.cjclark.org>
References: <20031219064932.GA94971@blossom.cjclark.org>
	<20031219143232.GA91798@numenor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031219143232.GA91798@numenor.net>
User-Agent: Mutt/1.4.1i
X-URL: http://people.freebsd.org/~cjc/
cc: current@freebsd.org
Subject: Re: Possible IPsec Trouble in 5.2RC?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2003 04:18:10 -0000

On Fri, Dec 19, 2003 at 06:32:32AM -0800, Nathan Kay wrote:
> On Thu, Dec 18, 2003 at 10:49:32PM -0800, Crist J. Clark wrote:
> > IPsec does work, however. When I manually load up the SAD with
> > setkey(8), the ESP tunnel comes up and everything is fine.
> 
> 	Confirmed, IKE no longer works for my setup either, while manual
> keying does.
> 
> > I think the problem is that the IKE traffic, 500/udp, is not bypassing
> > the IPsec processing like it should.
> 
> 	That's what looked like was going on in my setup as well.

A few others have seen the same problems with KAME IPsec in 5.2RC. One
person mentioned that the FAST_IPSEC implementation does not share the
bug. I switched over and things work fine with the same racoon
executable and configuration. This does look like a bug in the FreeBSD
KAME IPsec.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org