From owner-freebsd-current@FreeBSD.ORG Thu Dec 18 22:49:37 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BD8616A4CE for ; Thu, 18 Dec 2003 22:49:37 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CA7643D45 for ; Thu, 18 Dec 2003 22:49:35 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-186-224.client.comcast.net[24.6.186.224]) by comcast.net (sccrmhc11) with ESMTP id <2003121906493401100iln8ne>; Fri, 19 Dec 2003 06:49:34 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hBJ6nX43095040 for ; Thu, 18 Dec 2003 22:49:33 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hBJ6nXw2095039 for current@freebsd.org; Thu, 18 Dec 2003 22:49:33 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 18 Dec 2003 22:49:32 -0800 From: "Crist J. Clark" To: current@freebsd.org Message-ID: <20031219064932.GA94971@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ Subject: Possible IPsec Trouble in 5.2RC? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2003 06:49:37 -0000 I just upgraded a ThinkPad 600E from RELENG_5_1 to RELENG_5_2. I seem to be having trouble with my IKE deamon, racoon(8), but I don't think the problem is with racoon(8), but it may be the FreeBSD KAME IPsec implementation. I had had IPsec, with racoon(8) as the IKE daemon, running great under 5.1. When I upgraded to 5.2RC, it no longer functioned. I thought it may be a compatibility issue, so to eliminate the possibility, I deinstalled, rebuilt on the 5.2RC system, and reinstalled (just used 'portupgrade -f'). That did not help. IPsec does work, however. When I manually load up the SAD with setkey(8), the ESP tunnel comes up and everything is fine. I think the problem is that the IKE traffic, 500/udp, is not bypassing the IPsec processing like it should. For example, I try to ping a host for wwhich the SPD requires an ESP tunnel. Racoon(8)'s log reports that we are trying to start Phase 1 ISAKMP. However, if I snoop the wire, no packets are leaving the machine, nor do any counters in the ipfw(8) output increment as they should for 500/udp traffic. But the way the 'netstat -s -p ipsec' line, 'outbound packets with no SA available,' increments is consistent with the packets getting dropped there. (I should note that the traffic to the other end of the IPsec tunnel would also go through the tunnel according to the SPD.) Anyone else seeing this? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org