From owner-freebsd-current@FreeBSD.ORG Sat Feb 21 10:38:10 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D11D116A4CE for ; Sat, 21 Feb 2004 10:38:10 -0800 (PST) Received: from mailhub02.unibe.ch (mailhub02-skge0.unibe.ch [130.92.9.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EF9E43D1D for ; Sat, 21 Feb 2004 10:38:10 -0800 (PST) (envelope-from roth@speedy.unibe.ch) Received: from localhost (scanhub01-eth0.unibe.ch [130.92.254.65]) by mailhub02.unibe.ch (Postfix) with ESMTP id 7E7EC768B3 for ; Sat, 21 Feb 2004 19:38:09 +0100 (MET) Received: from mailhub02.unibe.ch ([130.92.9.53]) by localhost (scanhub01 [130.92.254.65]) (amavisd-new, port 10024) with LMTP id 09226-04-69 for ; Sat, 21 Feb 2004 19:38:08 +0100 (CET) Received: from asterix.unibe.ch (asterix.unibe.ch [130.92.64.4]) by mailhub02.unibe.ch (Postfix) with ESMTP id 5AE7B768CD for ; Sat, 21 Feb 2004 19:38:04 +0100 (MET) Received: from speedy.unibe.ch (speedy [130.92.64.35]) by asterix.unibe.ch (8.11.7p1+Sun/8.11.7) with ESMTP id i1LIc4b01899 for ; Sat, 21 Feb 2004 19:38:04 +0100 (MET) Received: (from roth@localhost) by speedy.unibe.ch (8.12.10+Sun/8.12.9/Submit) id i1LIc39b005787 for freebsd-current@freebsd.org; Sat, 21 Feb 2004 19:38:03 +0100 (MET) Date: Sat, 21 Feb 2004 19:38:03 +0100 From: Tobias Roth To: freebsd-current@freebsd.org Message-ID: <20040221183803.GA5719@speedy.unibe.ch> References: <20040214174144.GA13215@speedy.unibe.ch> <20040214211819.GE11710@saboteur.dek.spc.org> <20040214235426.GA13792@speedy.unibe.ch> <20040215013700.GC19592@saboteur.dek.spc.org> <20040216125232.GA64059@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040216125232.GA64059@gvr.gvr.org> User-Agent: Mutt/1.4i X-message-flag: Warning! Using Outlook is insecure and promotes virus distribution. Please use different email client. X-Virus-checked: by University of Berne Subject: More on broken IPSEC X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2004 18:38:10 -0000 On Mon, Feb 16, 2004 at 01:52:32PM +0100, Guido van Rooij wrote: > On Sun, Feb 15, 2004 at 01:37:00AM +0000, Bruce M Simpson wrote: > > On Sun, Feb 15, 2004 at 12:54:26AM +0100, Tobias Roth wrote: > > > yes, setkey -D never outputs anything, no SAs get created at all. > > > > This would tend to suggest either IPSEC support is missing from the kernel, > > or there has been a problem when racoon is issuing PF_KEY socket writes. > > > > Can you recompile with IPSEC_DEBUG enabled and try to replicate the problem? > > IIRC IPSEC currentky has the porblem that if you happen to use require > in your policies, even the ISAKMP packets do not gte out. > > I switched to FAST_IPSEC, which doesnt have this problem. > You can of course also use "use" in stead of "require". i did some more tests and have now verified that IPSEC plus "require" does not work, no packets get sent over the wire. the same setup works like a charm when i change "require" to "use". this is with 5.2.1-RC2 on both machines.