Date: Mon, 23 Aug 2010 02:37:16 +0530 From: ashish@FreeBSD.org (Ashish SHUKLA) To: freebsd-net@FreeBSD.org Subject: IPsec support in FreeBSD Message-ID: <86vd72nypn.fsf@chateau.d.if>
next in thread | raw e-mail | index | archive | help
--=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, I'm running 8.1-RELEASE on amd64. I'm connecting to an IPsec VPN (IPv4, dynamic keying using racoon) from beh= ind a NAT and I'm having strange issues working with it. IPsec negotiation succeeds but there are problems with sending traffic over the tunnel. To be able to actually able to send a packet across tunnel, I've to run a tcpdump on the ethernet interface, then only I starts getting replies for my packets, and SA gets established on the server (as per log of racoon maintained by server). This is weird but this' the only work around for me = to start communicating over my tunnel. I'm running a custom kernel[1]. Following are the values of sysctl knobs wi= th 'ipsec' in their OID, in case my : #v+ net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 1 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.crypto_support: 50331648 net.inet6.ipsec6.def_policy: 1 net.inet6.ipsec6.esp_trans_deflev: 1 net.inet6.ipsec6.esp_net_deflev: 1 net.inet6.ipsec6.ah_trans_deflev: 1 net.inet6.ipsec6.ah_net_deflev: 1 net.inet6.ipsec6.ecn: 0 net.inet6.ipsec6.debug: 1 net.inet6.ipsec6.filtertunnel: 0 #v- I was using pf as the firewall, but I disabled it using `pfctl -d` to avoid any possibilities of issues due to firewall. I'm wondering if this is relat= ed to kern/122562[2]. Also after connecting/disconnecting the tunnel after n times, I noticed my IPv4 address is gone from the interfaces, some messages appeared in my dmesg[3] with beep sounds generated. And this happened yesterday also. To workaround this I'd to re-assign IPv4 address to the interface. References: [1] http://people.freebsd.org/~ashish/ipsec/CHATEAU [2] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/122562 [3] http://people.freebsd.org/~ashish/ipsec/messages.kern Thanks in advance =2D-=20 Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 freebsd.org!ashish | http://people.freebsd.org/~ashish/ =E2=80=9CThe best way to predict the future is to implement it.=E2=80=9D (D= avid Heinemeier Hansson) --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQIcBAEBCgAGBQJMcZGHAAoJEMdGz6nnT6Sw8vgP+wYGD8crOkRVgxlXy1tP2n+L hbJBee7GngbLO9qkogy7ULRRseQONYD3lK1INGIoUTunyiVYog19H+VrjZQPrOwI V4VzLJvKtN/ewbHxKHdWKA/j1/RpTygYUE5rbt+CQcrQEinIDsNY4DHS9iJhXawz FHnKld4FSKIIcytQVa7TRUEl+N0jX4+FUzEbwo6pWREbKD5aPwlj4okzwfVazL6+ rZPBX91gyRtDDg6M2SZqbJH+k9PIDOm1MG41OEudeCOzswB/Qk/QO5bHJPpst/Yn eFod6g+01IOS5+4qZ7NhLDmzbr7Uhz/G/OXp7LiHN4AuEnfuJNsDuDrtVckMiMzV AOnGZdp+zcToZyVU+WtEYkUJgzos4GVORENJLNB8pHrgaN0G+luhieYmmIz71eOv J3tuSSrLEZNzqinTBtBJKa3DT9aEQmKCqGxmU4wfrAhQmy4mEEkPvO3BCBk8yVkI fjbBBFgejNfp26qEaN0VT7UOYXE6FVxtemfzDUyrS5micLSfpv+nf8/KHshEvGOV m8ypUqy9EEDwJ4I4zXcTTQvxIBvUwapEU478cKaoj5ry294Hartlzp41RiSrZflt Ndhp79zxDmpHC2+fErCvVaNlwb/tsWTLYDb9sYOgBBJkk4HiM8kHHa9jNTLP0FMX 3ij0Lz7vbuY1j23fyuYW =a9lw -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86vd72nypn.fsf>