Date: Tue, 30 Mar 2004 11:22:08 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Crist J. Clark" <cjc@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: IPSec troubles Message-ID: <Pine.BSF.4.53.0403301115370.714@e0-0.zab2.int.zabbadoz.net> In-Reply-To: <20040329214057.GA8711@blossom.cjclark.org> References: <257C203C-8104-11D8-9902-00039303AB38@mac.com> <20040329214057.GA8711@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Mar 2004, Crist J. Clark wrote: > > I have troubles setting up an IPSec Host-to-Host connection between > > FreeBSD 5.2.1 and MacOS X 10.3.3: > > Last I knew, 5.2.1 still had broken IPsec. Specifically, the system > tries to apply the IPsec policy to the IKE traffic giving us a chicken > and egg problem. you can "exclude" IKE traffic in the SPD manually. I am still unsure if this IS a bug. Would need to go through RFCs in detail. Just skipped through 2401 and what I have found is: In host systems, applications MAY be allowed to select what security processing is to be applied to the traffic they generate and consume. and The SPD is used to control the flow of ALL traffic through an IPsec system, including security and key management traffic (e.g., ISAKMP) from/to entities behind a security gateway. This means that ISAKMP traffic must be explicitly accounted for in the SPD, else it will be discarded. So if I get the problem right racoon is unable to tell the kernel that it's traffic should 'bypass' IPSec processing ? If this is the remaining problem apart from the yet known (where KAME people cannot find the time to review at the moment) I may look into this; have setup my wireless connection on a 5.2.1 notebook (being updated to HEAD soon) to use IPSec lately so I have a 'testbed' now. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0403301115370.714>