From owner-freebsd-hackers  Thu May 11  0:33:43 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 155E837B738
	for <hackers@FreeBSD.ORG>; Thu, 11 May 2000 00:33:42 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id AAA62618;
	Thu, 11 May 2000 00:33:37 -0700 (PDT)
	(envelope-from dillon)
Date: Thu, 11 May 2000 00:33:37 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200005110733.AAA62618@apollo.backplane.com>
To: Ville-Pertti Keinonen <will@iki.fi>
Cc: hackers@FreeBSD.ORG
Subject: Re: ipsec 'replay' syslog error messages after reboot of one host
References: <200005110127.SAA61600@apollo.backplane.com> <863dnplfpw.fsf@not.demophon.com>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


:
:
:dillon@apollo.backplane.com (Matthew Dillon) writes:
:
:>     The question is:  What am I forgetting to do?  Or is this a bug in our
:>     IPSEC implementation?
:
:AFAIK this is more or less how it's supposed to work.  IPsec is a
:mess.  Security associations are not stateless, ESP provides replay
:protection using a sequence number.  Replay-prevention is, however,
:optional, and the setkey manual page claims it to be off by default,
:so it could be a bug...you might want to try specifying -r 0
:explicitly.

    IPSec isn't well documented, but once I figured out the config
    file it didn't seem too bad.  I am guessing that replay prevention
    is turned on by default, but specifying '-f cyclic-seq' in the
    setkey config file at the appropriate place appears to solve the
    problem.  I haven't tried testing with packet loss to see if it
    can survive a noisy network.

    I had to fix up /etc/rc.network a little to load the ipsec rules
    at the appropriate point (just after the interface and ipfw setup,
    but before any services (like NFS) are run).  I am going to put the
    (relatively simple) patch for rc.network up for a quick review and
    then commit it along with an example file and a reference to the
    example file in the man page.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message