Date: Sat, 21 Feb 2004 19:38:03 +0100 From: Tobias Roth <roth@iam.unibe.ch> To: freebsd-current@freebsd.org Subject: More on broken IPSEC Message-ID: <20040221183803.GA5719@speedy.unibe.ch> In-Reply-To: <20040216125232.GA64059@gvr.gvr.org> References: <20040214174144.GA13215@speedy.unibe.ch> <20040214211819.GE11710@saboteur.dek.spc.org> <20040214235426.GA13792@speedy.unibe.ch> <20040215013700.GC19592@saboteur.dek.spc.org> <20040216125232.GA64059@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 16, 2004 at 01:52:32PM +0100, Guido van Rooij wrote: > On Sun, Feb 15, 2004 at 01:37:00AM +0000, Bruce M Simpson wrote: > > On Sun, Feb 15, 2004 at 12:54:26AM +0100, Tobias Roth wrote: > > > yes, setkey -D never outputs anything, no SAs get created at all. > > > > This would tend to suggest either IPSEC support is missing from the kernel, > > or there has been a problem when racoon is issuing PF_KEY socket writes. > > > > Can you recompile with IPSEC_DEBUG enabled and try to replicate the problem? > > IIRC IPSEC currentky has the porblem that if you happen to use require > in your policies, even the ISAKMP packets do not gte out. > > I switched to FAST_IPSEC, which doesnt have this problem. > You can of course also use "use" in stead of "require". i did some more tests and have now verified that IPSEC plus "require" does not work, no packets get sent over the wire. the same setup works like a charm when i change "require" to "use". this is with 5.2.1-RC2 on both machines.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040221183803.GA5719>