From owner-freebsd-net@FreeBSD.ORG  Tue Mar 30 05:02:41 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DC4EA16A4CF
	for <freebsd-net@freebsd.org>; Tue, 30 Mar 2004 05:02:41 -0800 (PST)
Received: from cheer.mahoroba.org (flets19-094.kamome.or.jp [218.45.19.94])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4FA1643D1D
	for <freebsd-net@freebsd.org>; Tue, 30 Mar 2004 05:02:41 -0800 (PST)
	(envelope-from ume@FreeBSD.org)
Received: from localhost
	(IDENT:BAlfI/Ib+QqtmNbgT1Q6h5/Rsl8I//q1f773m3J7xlmaXhR0dIlR5zZIXfB53q3e@localhost
	[IPv6:::1])	(user=ume mech=CRAM-MD5 bits=0)i2UD375m092462
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 30 Mar 2004 22:03:10 +0900 (JST)	(envelope-from ume@FreeBSD.org)
Date: Tue, 30 Mar 2004 22:03:07 +0900
Message-ID: <yge8yhipjw4.wl%ume@FreeBSD.org>
From: Hajimu UMEMOTO <ume@FreeBSD.org>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
In-Reply-To: <Pine.BSF.4.53.0403301225030.714@e0-0.zab2.int.zabbadoz.net>
References: <257C203C-8104-11D8-9902-00039303AB38@mac.com>
	<Pine.BSF.4.53.0403301115370.714@e0-0.zab2.int.zabbadoz.net>
	<87BC9FE1-8241-11D8-9782-00039303AB38@mac.com>
	<Pine.BSF.4.53.0403301225030.714@e0-0.zab2.int.zabbadoz.net>
User-Agent: xcite1.38> Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.5
 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.6 Emacs/21.3
 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=)
X-Operating-System: FreeBSD 4.9-RELEASE-p4
MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen")
Content-Type: text/plain; charset=US-ASCII
X-Virus-Scanned: by amavisd-new
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on cheer.mahoroba.org
cc: freebsd-net@freebsd.org
cc: Cyrill =?ISO-8859-1?Q?R=FCttimann?= <ruettimac@mac.com>
Subject: Re: IPSec troubles
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2004 13:02:42 -0000

Hi,

>>>>> On Tue, 30 Mar 2004 12:33:08 +0000 (UTC)
>>>>> "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> said:

bzeeb> What I had to do had been "excluding IKE traffic" by doing s.th.
bzeeb>  like this (router side config):
bzeeb> spdadd  ROUTER[500] NOTEBOOK[500] udp
bzeeb>         -P out none ;
bzeeb> spdadd  NOTEBOOK[500] ROUTER[500] udp
bzeeb>         -P in none ;
bzeeb> This for sure is not the most nifty way to do but it works.

The per socket security policy is broken under 5.2.1-RELEASE, and it
was fixed in 5-CURRENT.  Racoon uses it to exclude IKE packets from
target of IPsec.  So, the bzeeb's way should work for workaround.

Sincerely,

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/