From owner-freebsd-current@FreeBSD.ORG Mon Feb 2 23:04:45 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD9AC16A4CE for ; Mon, 2 Feb 2004 23:04:45 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id E473643D39 for ; Mon, 2 Feb 2004 23:04:43 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-186-224.client.comcast.net[24.6.186.224]) by comcast.net (sccrmhc11) with ESMTP id <2004020307044201100gemmee>; Tue, 3 Feb 2004 07:04:42 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id i1374f43047220; Mon, 2 Feb 2004 23:04:41 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id i1374aMH047219; Mon, 2 Feb 2004 23:04:36 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 2 Feb 2004 23:04:36 -0800 From: "Crist J. Clark" To: Guido van Rooij Message-ID: <20040203070435.GB46486@blossom.cjclark.org> References: <1074650025.701.82.camel@itouch-1011.prv.au.itouchnet.net> <20040122110929.GA767@gvr.gvr.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040122110929.GA767@gvr.gvr.org> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: Andrew Thomson cc: current@freebsd.org Subject: Re: ipsec changes in 5.2R X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 07:04:45 -0000 On Thu, Jan 22, 2004 at 12:09:29PM +0100, Guido van Rooij wrote: > On Wed, Jan 21, 2004 at 12:53:46PM +1100, Andrew Thomson wrote: > > I'm a little guilty as I upgraded my laptop from 5.0 to 5.2. So I'm > > guessing things have changed a bit. > > > > However I used to encrypt my wireless connection using IPSEC. Since the > > upgrade, things no longer work. > > > > My firewall is a 4.9p1 host which is at the other end of the IPSEC VPN > > and wireless link. > > > > I previously used the following ipsec.conf to get things going (these > > are from the firewall, obviously the reverse [out/in] is applied to my > > laptop). > > > > 192.168.14.2[any] 0.0.0.0/0[any] any > > in ipsec > > esp/tunnel/192.168.14.2-192.168.14.1/require > > spid=5 seq=1 pid=1409 > > refcnt=1 > > 0.0.0.0/0[any] 192.168.14.2[any] any > > out ipsec > > esp/tunnel/192.168.14.1-192.168.14.2/require > > spid=6 seq=0 pid=1409 > > refcnt=1 > > > > Now when I have those setkey entries enabled on my laptop, I can't even > > ping my own host (192.168.14.2). > > > > Both tcpdump and ipfw add 100 log ip from any to any shows nothing on my > > wireless link.. > > > > Not sure why this has now stopped working.. Any clues? > > I have seen the same. Somehow it looks like ISAKMP traffic, which used to > go around the ipsec policy, is now included. The only workaround I know > of is to replace "require" with "use". A little late on this, but FAST_IPSEC rather than KAME IPsec will fix the problem. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org