From owner-freebsd-net@FreeBSD.ORG Sun Aug 22 21:07:28 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5424610656A3 for ; Sun, 22 Aug 2010 21:07:28 +0000 (UTC) (envelope-from wahjava@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 073528FC12 for ; Sun, 22 Aug 2010 21:07:27 +0000 (UTC) Received: by pzk7 with SMTP id 7so2287344pzk.13 for ; Sun, 22 Aug 2010 14:07:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:received:from:to :subject:organization:x-face:x-uptime:x-url:x-operating-system :x-openpgp-id:x-openpgp-fingerprint:x-mailer:x-mail-morse :x-attribution:organisation:date:message-id:user-agent:face :mime-version:content-type; bh=lrhFv2SsEv1SC4/+g68qju9XNLU53NDAJgaX8k0IGfM=; b=LLu8eGYxQL0NlxmGlxC1T+w98lBc7W8aECXyMxzmgxFsGYhWekgJo7javFCDcM+hrq nL9cJ5sxVBkNws5oDxV2PVRV8F9U8qb07oQa5rTyBAoTgKum1lfQqVHesTXOp4Vo2Hsc vcnXN+n+E3hFdF8kl/B/PL+Tebxgea9mhGpw4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:to:subject:organization:x-face:x-uptime:x-url :x-operating-system:x-openpgp-id:x-openpgp-fingerprint:x-mailer :x-mail-morse:x-attribution:organisation:date:message-id:user-agent :face:mime-version:content-type; b=BtqFEHKy3U+DPnTBvjui8wlAegTMyzXTuo9g7J+Xt41Sklrk9rYD77yjsuaKkZkxTP Js3uCNYyQlptrb/N4jm1x+jTr3WqtJxC0QH6KN9kaMSL5L4CnftujKMSqq0vQ3tHxOWO RorVgSWNseOD7ptQIJucB+RO1KGVE0MEYhgP4= Received: by 10.114.60.5 with SMTP id i5mr4830615waa.146.1282511247536; Sun, 22 Aug 2010 14:07:27 -0700 (PDT) Received: from chateau.d.if ([122.163.151.183]) by mx.google.com with ESMTPS id 33sm10959202wad.6.2010.08.22.14.07.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 22 Aug 2010 14:07:26 -0700 (PDT) Sender: Ashish SHUKLA Received: from chateau.d.if (chateau.d.if [IPv6:::1]) by chateau.d.if (Postfix) with ESMTP id 0F02A4AD9F for ; Mon, 23 Aug 2010 02:37:19 +0530 (IST) From: ashish@FreeBSD.org (Ashish SHUKLA) To: freebsd-net@FreeBSD.org Organization: The FreeBSD Project X-Face: )vGQ9yK7Y$Flebu1C>(B\gYBm)[$zfKM+p&TT[[JWl6:]S>cc$%-z7-`46Zf0B*syL.C]oCq[upTG~zuS0.$"_%)|Q@$hA=9{3l{%u^h3jJ^Zl; t7 X-Uptime: 1:37AM up 8:58, 10 users, load averages: 0.22, 0.18, 0.12 X-URL: http://762e5e74.wordpress.com/ X-Operating-System: FreeBSD/FreeBSD 8.1-RELEASE/amd64 X-OpenPGP-ID: E74FA4B0 X-OpenPGP-Fingerprint: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 X-Mailer: Gnus v5.13 X-Mail-Morse: .-- .- .... .--- .- ...- .- .--.-. --. -- .- .. .-.. .-.-.- -.-. --- -- X-Attribution: =?utf-8?B?4KSG4KS24KWA4KS3?= Organisation: The FreeBSD Project Date: Mon, 23 Aug 2010 02:37:16 +0530 Message-ID: <86vd72nypn.fsf@chateau.d.if> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (amd64-portbld-freebsd8.1) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJ1BMVEWpqal/f39tbW1jY2Md HR2goKCenp6UlJROTk7////9/f35+fnT09ORJdieAAACVklEQVQ4jXXUP2vbQBQA8AvUTkgz5OzY Z0iGWhpS6BSrkECn0mvx0MEJ6AjtYrfoBCVDlD8naJYmNlRfwZq8+mkKlIZaGpJSYmP7Q/XkJDrJ Td8i/H68u3vHPaPufwLdf32AMA4A6GcAgvAamY1pOJiDIFqicTwLswDhfr3uxfFtkAY/GFHPMwzD 8zpnACmIOnE6js7rQb+v4NJrG9od0C+QgpHMy5jBewV+UDSMWiw1Y4fWfyV7+NGFzDsYa3pth9LJ Q4XvXxFHcJRvHOmygn5NAEabnDcQQguarnfoiwSCJ99jmKKcphsZONmWsDK9Ro7cvZOCtQdg8nje egLhc2LNlkLmsezzTFUUy5w18ocox/f0LaLgJy0zO75zk+9pp85GAj36xjqhdI0y3tq2m4dqqcWX zQWBTz8L1irvolXV4J+3q7eCDgVnttjNq6X8H+9KOZsuNk1uCzx8pSp+E9HImfJOTLdcGqo+YKnG EIovizkEn48V7BO+ch2DXcD4ENSpWiU+q8hjjbgTBZCXnZtyj0Ws4Q1Q0B2WXFtYZo65Bbyeeldw RS6qFueM80LlLA29YlVwGRYvFD+kwI/0O+A2PlpOP9GwslUVciHuYGechuBTp922YiDZCrghTknm XSyOM+D3aoRZlo0Jb42zY7DN4p2x4AeZ+QAYutx1sHwTHzMT5cMNduQ9yW3GczN4KZ86kb0c9O8T yXDeFqpl2fryPEAYGXIlezAPXYh2NgVr/gvdoHIuDwuPwOhcWE8f8mmICq41eATkn8x0kuRTIKcB wE9+/QUtiiAnYcaN7wAAAABJRU5ErkJggg== MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Cc: Subject: IPsec support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Aug 2010 21:07:28 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, I'm running 8.1-RELEASE on amd64. I'm connecting to an IPsec VPN (IPv4, dynamic keying using racoon) from beh= ind a NAT and I'm having strange issues working with it. IPsec negotiation succeeds but there are problems with sending traffic over the tunnel. To be able to actually able to send a packet across tunnel, I've to run a tcpdump on the ethernet interface, then only I starts getting replies for my packets, and SA gets established on the server (as per log of racoon maintained by server). This is weird but this' the only work around for me = to start communicating over my tunnel. I'm running a custom kernel[1]. Following are the values of sysctl knobs wi= th 'ipsec' in their OID, in case my : #v+ net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 1 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.crypto_support: 50331648 net.inet6.ipsec6.def_policy: 1 net.inet6.ipsec6.esp_trans_deflev: 1 net.inet6.ipsec6.esp_net_deflev: 1 net.inet6.ipsec6.ah_trans_deflev: 1 net.inet6.ipsec6.ah_net_deflev: 1 net.inet6.ipsec6.ecn: 0 net.inet6.ipsec6.debug: 1 net.inet6.ipsec6.filtertunnel: 0 #v- I was using pf as the firewall, but I disabled it using `pfctl -d` to avoid any possibilities of issues due to firewall. I'm wondering if this is relat= ed to kern/122562[2]. Also after connecting/disconnecting the tunnel after n times, I noticed my IPv4 address is gone from the interfaces, some messages appeared in my dmesg[3] with beep sounds generated. And this happened yesterday also. To workaround this I'd to re-assign IPv4 address to the interface. References: [1] http://people.freebsd.org/~ashish/ipsec/CHATEAU [2] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/122562 [3] http://people.freebsd.org/~ashish/ipsec/messages.kern Thanks in advance =2D-=20 Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 freebsd.org!ashish | http://people.freebsd.org/~ashish/ =E2=80=9CThe best way to predict the future is to implement it.=E2=80=9D (D= avid Heinemeier Hansson) --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQIcBAEBCgAGBQJMcZGHAAoJEMdGz6nnT6Sw8vgP+wYGD8crOkRVgxlXy1tP2n+L hbJBee7GngbLO9qkogy7ULRRseQONYD3lK1INGIoUTunyiVYog19H+VrjZQPrOwI V4VzLJvKtN/ewbHxKHdWKA/j1/RpTygYUE5rbt+CQcrQEinIDsNY4DHS9iJhXawz FHnKld4FSKIIcytQVa7TRUEl+N0jX4+FUzEbwo6pWREbKD5aPwlj4okzwfVazL6+ rZPBX91gyRtDDg6M2SZqbJH+k9PIDOm1MG41OEudeCOzswB/Qk/QO5bHJPpst/Yn eFod6g+01IOS5+4qZ7NhLDmzbr7Uhz/G/OXp7LiHN4AuEnfuJNsDuDrtVckMiMzV AOnGZdp+zcToZyVU+WtEYkUJgzos4GVORENJLNB8pHrgaN0G+luhieYmmIz71eOv J3tuSSrLEZNzqinTBtBJKa3DT9aEQmKCqGxmU4wfrAhQmy4mEEkPvO3BCBk8yVkI fjbBBFgejNfp26qEaN0VT7UOYXE6FVxtemfzDUyrS5micLSfpv+nf8/KHshEvGOV m8ypUqy9EEDwJ4I4zXcTTQvxIBvUwapEU478cKaoj5ry294Hartlzp41RiSrZflt Ndhp79zxDmpHC2+fErCvVaNlwb/tsWTLYDb9sYOgBBJkk4HiM8kHHa9jNTLP0FMX 3ij0Lz7vbuY1j23fyuYW =a9lw -----END PGP SIGNATURE----- --=-=-=--