From owner-freebsd-net  Mon Aug 12 15:49: 2 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8631937B400
	for <net@freebsd.org>; Mon, 12 Aug 2002 15:48:57 -0700 (PDT)
Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3782D43E65
	for <net@freebsd.org>; Mon, 12 Aug 2002 15:48:57 -0700 (PDT)
	(envelope-from julian@vicor.com)
Received: from vicor.com (julian.vicor-nb.com [208.206.78.97])
	by mail.vicor-nb.com (Postfix) with ESMTP id E33075922B
	for <net@freebsd.org>; Mon, 12 Aug 2002 15:48:56 -0700 (PDT)
Message-ID: <3D583B58.3A132F@vicor.com>
Date: Mon, 12 Aug 2002 15:48:56 -0700
From: Julian Elischer <julian@vicor.com>
Organization: VICOR
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386)
X-Accept-Language: en, hu
MIME-Version: 1.0
To: net@freebsd.org
Subject: Racoon question
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

I have a (probably silly) question about racoon..

I have racoon working to some extent.
I have it working in transport mode.

However I notice that if I have a problem on one system it sometimes
needs to wait until the running SA has expired until things can be 
restarted.. For example if one system is rebooted, I need to reset the
racoon on the 
other system and clear SAs etc. before  things can resync.

It occured to me that this may be because the racoons need to talk
across the 
transport connection that is toasted so it's a catch-22.

I tried setting up port 500 as an excpetion using 'none'
in /etc/ipsec.conf but that seems to confuse things.. it seems unable to
decide for 
any given connection whether
to use the [500] or [any]
sessions.

There is no documentation as to whether one can set up a generic SA 
between machines A and B and then have an exception for a particular 
port number and protocol.

If I DO put the line 
spdadd bla [500] bla [500] none;
into the file things apparently get very confused..

If I don't, as I said, the racoons can not talk to each other
until everything on both sides of the link have been reset.

does anyone know whether racoon can is supposed to be able to
communicate
across a broken transport connection?
if not then it seems to be rather useless..

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message