From owner-freebsd-current@FreeBSD.ORG Fri Dec 19 01:23:23 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F40D216A4CE; Fri, 19 Dec 2003 01:23:22 -0800 (PST) Received: from snoopy.pacific.net.au (snoopy.pacific.net.au [61.8.0.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BD2443D36; Fri, 19 Dec 2003 01:23:21 -0800 (PST) (envelope-from memetical@yahoo.com.au) Received: from mongrel.pacific.net.au (mongrel.pacific.net.au [61.8.0.107]) hBJ9NJno002687; Fri, 19 Dec 2003 20:23:19 +1100 Received: from zhadum.dnsalias.net (dyn153.syd7.homedsl.pacific.net.au [202.7.78.153])hBJ9NIxs000987; Fri, 19 Dec 2003 20:23:19 +1100 Received: from psi.starfleet.org.au (psi.starfleet.org.au [172.16.0.3]) by arthur.starfleet.org.au (Postfix) with ESMTP id 7A6929434; Fri, 19 Dec 2003 20:23:18 +1100 (EST) Received: by psi.starfleet.org.au (Postfix, from userid 1000) id 193186D457; Fri, 19 Dec 2003 20:23:17 +1100 (EST) Date: Fri, 19 Dec 2003 20:23:17 +1100 From: Rudolph Pereira To: "Crist J. Clark" Message-ID: <20031219092317.GA669@starfleet.org.au> References: <20031219064932.GA94971@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031219064932.GA94971@blossom.cjclark.org> User-Agent: Mutt/1.4.1i cc: current@freebsd.org Subject: Re: Possible IPsec Trouble in 5.2RC? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2003 09:23:23 -0000 On Thu, Dec 18, 2003 at 10:49:32PM -0800, Crist J. Clark wrote: > I just upgraded a ThinkPad 600E from RELENG_5_1 to RELENG_5_2. I seem > to be having trouble with my IKE deamon, racoon(8), but I don't think > the problem is with racoon(8), but it may be the FreeBSD KAME IPsec > implementation. > > I think the problem is that the IKE traffic, 500/udp, is not bypassing > the IPsec processing like it should. For example, I try to ping a host > for wwhich the SPD requires an ESP tunnel. Racoon(8)'s log reports > that we are trying to start Phase 1 ISAKMP. However, if I snoop the > wire, no packets are leaving the machine, nor do any counters in the > ipfw(8) output increment as they should for 500/udp traffic. But the > way the 'netstat -s -p ipsec' line, 'outbound packets with no SA > available,' increments is consistent with the packets getting dropped > there. (I should note that the traffic to the other end of the IPsec > tunnel would also go through the tunnel according to the SPD.) > > Anyone else seeing this? I am seeing exactly the same thing trying to set up ipsec between two recent -current boxes, and have been for quite some time. I've come to the same conclusion as you. The only difference in my setup is that I've got no firewalling at all. Some other interesting facts, probably supporting the above - if I set the ipsec level to use rather than require, things work fine (but some traffic goes over unencrypted, as expected) - the same rules/configuration works when both machines are running debian linux (there is a kame/racoon backport in their kernel)