From owner-freebsd-net@FreeBSD.ORG Sat Dec 30 15:53:18 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1D0AB16A40F for ; Sat, 30 Dec 2006 15:53:18 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id A647913C45E for ; Sat, 30 Dec 2006 15:53:17 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7]) by smtp.zeninc.net (smtpd) with ESMTP id 3A1203F17 for ; Sat, 30 Dec 2006 16:28:59 +0100 (CET) Received: by jayce.zen.inc (Postfix, from userid 1000) id 21F992E2BE; Sat, 30 Dec 2006 16:29:00 +0100 (CET) Date: Sat, 30 Dec 2006 16:28:59 +0100 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20061230152859.GA1519@jayce.zen.inc> References: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3713853f0612280851m243f9e75u918c0969b038a865@mail.gmail.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: ipsec-tools 0.6.6 problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Dec 2006 15:53:18 -0000 On Thu, Dec 28, 2006 at 05:51:42PM +0100, Robert Usle wrote: > Hello list & Yvan. Hi. [...] > listen > { > #isakmp ::1 [7000]; > isakmp 89.217.11.250 [500]; > isakmp 10.0.5.1 [500]; > #admin [7002]; # administrative port for racoonctl. > #strict_address; # requires that all addresses must be bound. > } Those addresses don't match the ifconfig output you sent in your previous mail, is that normal ? [....] > remote anonymous { > exchange_mode aggressive,main,base; This is a quite ugly config (I fear it comes from ipsec-tools examples....), but it is not related to your problem. [....] > 2006-12-28 17:30:49: INFO: 10.0.5.1[500] used as isakmp port (fd=5) > 2006-12-28 17:30:49: INFO: 89.217.11.250[500] used as isakmp port (fd=6) > 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message > 2006-12-28 17:30:49: DEBUG: get pfkey X_SPDDUMP message > 2006-12-28 17:30:49: DEBUG: sub:0xbfbff524: 0.0.0.0/0[0] > 192.168.2.0/24[0] proto=any dir=out > 2006-12-28 17:30:49: DEBUG: db :0x80a5408: 192.168.2.0/24[0] > 0.0.0.0/0[0] proto=any dir=in Could you also give us the output of "setkey -D -P" ? > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list > 2006-12-28 17:30:49: DEBUG: msg 1 not interesting > 2006-12-28 17:30:49: DEBUG: caught rtm:2, need update interface address list > 2006-12-28 17:30:50: DEBUG: msg 5 not interesting > 2006-12-28 17:30:50: DEBUG: msg 1 not interesting > 2006-12-28 17:30:50: DEBUG: caught rtm:2, need update interface address list > 2006-12-28 17:30:50: DEBUG: msg 1 not interesting > and so on..... infinite loop with 'caught rtm;2, need update interface > address list Strange. The most common reason for an interface update is entering/leaving promiscous mode, or changing IP configuration, but I guess you don't do that many times per second.... Just to ba sure: do you have strange messages on console related to IP configuration ? [...] > There are 2 setkey commands now, (/usr/sbin/ & /usr/local/sbin) > can I use both ? For very basic usage, yes, but as you are using ipsec-tool's racoon, it is better to also use ipsec-tool's setkey, which is the /usr/local/sbin one. > Also, sometimes I'm getting 'unsupported PF_KEY message REGISTER' > after running setkey ? Are you sure your kernel has been correctly compiled/installed ??? Yvan. -- NETASQ http://www.netasq.com