Date: Tue, 15 Apr 2003 23:51:54 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: "Crist J. Clark" <cjc@FreeBSD.org> Cc: freebsd-hackers@FreeBSD.org Subject: Re: Single IP host and IPsec tunnel mode experience Message-ID: <3E9CFD8A.89353F06@mindspring.com> References: <20030410161511.GA25681@madman.celabo.org> <20030416052335.GA2519@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote: > On Thu, Apr 10, 2003 at 11:15:11AM -0500, Jacques A. Vidrine wrote: > > So, KAME/IPsec experts ... have I gone atray with my configuration? > > Or is this simply not doable within the KAME framework? > > Or is this a bug (assuming my theory that packets are matched against > > the SPD again after de-encapsulation is correct)? > > 'uname -a'? I can't reproduce this on a 4.8 to 4.7 tunnel. On > 192.168.64.70, > > spdadd 192.168.64.70/32 10.0.0.0/24 any -P out > ipsec esp/tunnel/192.168.64.70-192.168.64.20/require; > spdadd 10.0.0.0/24 192.168.64.70/32 any -P in > ipsec esp/tunnel/192.168.64.20-192.168.64.70/require; FWIW, we ran into this same problem. Deleting the default route fixed it, for some reason. I never did track it down because we stopped shipping with IPSEC enabled, because of the huge overhead it had for all IPv4 connections (each connection eats a large chunk of RAM, which doesn't happen in the IPv6 case). I keep meaning to fix this, but I'm always hoping that the KAME people get to it first (on the other hand, maybe they don't *want* it fixed, to encourage people to use IPv6 instead ;^)). -- Terry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E9CFD8A.89353F06>