Date: Sat, 30 Dec 2006 16:28:59 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: ipsec-tools 0.6.6 problem Message-ID: <20061230152859.GA1519@jayce.zen.inc> In-Reply-To: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com> References: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 28, 2006 at 05:51:42PM +0100, Robert Usle wrote:
> Hello list & Yvan.
Hi.
[...]
> listen
> {
> #isakmp ::1 [7000];
> isakmp 89.217.11.250 [500];
> isakmp 10.0.5.1 [500];
> #admin [7002]; # administrative port for racoonctl.
> #strict_address; # requires that all addresses must be bound.
> }
Those addresses don't match the ifconfig output you sent in your
previous mail, is that normal ?
[....]
> remote anonymous {
> exchange_mode aggressive,main,base;
This is a quite ugly config (I fear it comes from ipsec-tools
examples....), but it is not related to your problem.
[....]
> 2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5)
> 2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6)
> 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
> 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message
> 2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0]
> 192.168.2.0/24[0] proto=any dir=out
> 2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0]
> 0.0.0.0/0[0] proto=any dir=in
Could you also give us the output of "setkey -D -P" ?
> 2006-12-28 17:30:49: DEBUG: msg 1 not interesting
> 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
> 2006-12-28 17:30:49: DEBUG: msg 1 not interesting
> 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
> 2006-12-28 17:30:49: DEBUG: msg 1 not interesting
> 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list
> 2006-12-28 17:30:50: DEBUG: msg 5 not interesting
> 2006-12-28 17:30:50: DEBUG: msg 1 not interesting
> 2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list
> 2006-12-28 17:30:50: DEBUG: msg 1 not interesting
> and so on..... infinite loop with 'caught rtm;2, need update interface
> address list
Strange. The most common reason for an interface update is
entering/leaving promiscous mode, or changing IP configuration, but I
guess you don't do that many times per second....
Just to ba sure: do you have strange messages on console related to IP
configuration ?
[...]
> There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin)
> can I use both ?
For very basic usage, yes, but as you are using ipsec-tool's racoon,
it is better to also use ipsec-tool's setkey, which is the
/usr/local/sbin one.
> Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER'
> after running setkey
?
Are you sure your kernel has been correctly compiled/installed ???
Yvan.
--
NETASQ
http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061230152859.GA1519>