From owner-freebsd-security  Tue Apr 17  6:20:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mine.kame.net (kame195.kame.net [203.178.141.195])
	by hub.freebsd.org (Postfix) with ESMTP id 4A9C137B43F
	for <freebsd-security@freebsd.org>; Tue, 17 Apr 2001 06:20:16 -0700 (PDT)
	(envelope-from sakane@ydc.co.jp)
Received: from localhost (PPP11.tama-ap5.dti.ne.jp [210.159.232.11])
	by mine.kame.net (8.11.1/3.7W) with ESMTP id f3HDXBY75965;
	Tue, 17 Apr 2001 22:33:12 +0900 (JST)
To: lionnel.chaptal@IPricot.com
Cc: freebsd-security@freebsd.org
Subject: Re: IPSEC/Racoon/local adress when initiator
In-Reply-To: Your message of "Fri, 13 Apr 2001 12:09:11 +0200"
	<3AD6D047.91F3F843@IPricot.com>
References: <3AD6D047.91F3F843@IPricot.com>
X-Mailer: Cue version 0.6 (010413-1707/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20010417222014P.sakane@ydc.co.jp>
Date: Tue, 17 Apr 2001 22:20:14 +0900
From: Shoichi Sakane <sakane@ydc.co.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 28
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>  FBSD(eth)--|--(eth)GW(eth)--(eth)Cisco(eth)--|
>             |                                 |--(eth)host
> host(eth)---|

> On the FBSD side, there is only one NIC, so I have set up an alias
> address on the ethernet interface. 

Why don't you buy another NIC for FBSD box ?

> So the FBSD eth iface has one address in the net-to-be-tunneled
> (192.168.0.1/24) and another for the tunnel-transported-lan (1.2.3.4 or
> whatever). 

> The gateway for the FBSD (GW) has only one address in the same net as
> the net-to-be-tunneled (for instance 192.168.0.254). So racoon is
> binding on the eth iface with the address 192.168.0.1
> [sockmisc.c/getlocaladdr()]. The frame are beeing sent from 192.168.0.1
> whereas they should come from 1.2.3.4

When racoon is initiator, I think it is not racoon's problem.
It depends on IPv4 source address selection of FreeBSD box.

Actually racoon can recoginize alias addresses, and I believe
racoon can use this address as source address when racoon is responder.
So I want to show the whole log of racoon during the negotiation
after racoon started.  Please send me directly the log.

/Shoichi Sakane @ KAME project/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message