From owner-freebsd-net@FreeBSD.ORG Tue Mar 30 15:47:02 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDD0916A4CE for ; Tue, 30 Mar 2004 15:47:02 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CC0543D45 for ; Tue, 30 Mar 2004 15:47:02 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-67-169-127-171.client.comcast.net[67.169.127.171]) by comcast.net (sccrmhc11) with ESMTP id <2004033023465101100c9lt6e>; Tue, 30 Mar 2004 23:47:01 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id i2UNkn0m045626; Tue, 30 Mar 2004 15:46:50 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id i2UNkmT5045625; Tue, 30 Mar 2004 15:46:48 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Tue, 30 Mar 2004 15:46:48 -0800 From: "Crist J. Clark" To: "Bjoern A. Zeeb" Message-ID: <20040330234648.GA45024@blossom.cjclark.org> References: <257C203C-8104-11D8-9902-00039303AB38@mac.com> <20040329214057.GA8711@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-net@freebsd.org Subject: Re: IPSec troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 23:47:03 -0000 On Tue, Mar 30, 2004 at 11:22:08AM +0000, Bjoern A. Zeeb wrote: > On Mon, 29 Mar 2004, Crist J. Clark wrote: > > > > I have troubles setting up an IPSec Host-to-Host connection between > > > FreeBSD 5.2.1 and MacOS X 10.3.3: > > > > Last I knew, 5.2.1 still had broken IPsec. Specifically, the system > > tries to apply the IPsec policy to the IKE traffic giving us a chicken > > and egg problem. > > you can "exclude" IKE traffic in the SPD manually. I am still unsure > if this IS a bug. Would need to go through RFCs in detail. [snip RFC2401 quotes] I don't think we do. I mispoke... er, typed. IPsec _policy_ must be applied to every packet (or socket). However, IKE traffic should skip IPsec _processing,_ i.e. the IPsec policy should dictate the IKE traffic skip IPsec processing. > So if I get the problem right racoon is unable to tell the kernel > that it's traffic should 'bypass' IPSec processing ? Yes. Racoon can _no longer_ tell the kernel to bypass using KAME IPsec. This used to work. A working racoon binary stopped working as of a kernel upgrade between 5. and 5.. Racoon will still work fine with FAST_IPSEC. Racoon tells the kernel that the IKE socket should be 'bypassed' in IPsec processing in the racoon/sockmisc.c:setsockopt_bypass function. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org