From owner-freebsd-net Tue Aug 13 6:57:46 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50EE937B400; Tue, 13 Aug 2002 06:57:43 -0700 (PDT) Received: from rerun.avayactc.com (rerun.avayactc.com [199.93.237.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C047043E75; Tue, 13 Aug 2002 06:57:41 -0700 (PDT) (envelope-from mcambria@avaya.com) Received: by rerun.avayactc.com with Internet Mail Service (5.5.2653.19) id <30ZWHJVK>; Tue, 13 Aug 2002 09:57:30 -0400 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EC98@rerun.avayactc.com> From: "Cambria, Mike" To: 'Julian Elischer' , "Crist J. Clark" Cc: "'freebsd-net@freebsd.org'" Subject: RE: Racoon question Date: Tue, 13 Aug 2002 09:57:29 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Mon, 12 Aug 2002, Crist J. Clark wrote: > > > On Mon, Aug 12, 2002 at 03:48:56PM -0700, Julian Elischer wrote: > > > > Yeah, known issue which comes up from time to time. It is a common > > headache in IPsec. 'Coulda sworn there was a sysctl(8) to > change this > > behavior, but I can't find it. Nor can I Google anything > except other > > {Free,Net,Open}BSD and Linux people complaining about the > > problem. This IETF draft explains some of the issues, > > > > http://search.ietf.org/internet-drafts/draft-spencer-ipsec-ike-implementatio n-02.txt > > Maybe you can find some of the solutions that have been offered. It's > been discussed on various lists (-net, -security, and -questions) many > times. > > But just so you know, > > > It occured to me that this may be because the racoons need to talk > > across the > > transport connection that is toasted so it's a catch-22. > > > > I tried setting up port 500 as an excpetion using 'none' > > in /etc/ipsec.conf but that seems to confuse things.. it seems unable to > > decide for > > any given connection whether > > to use the [500] or [any] > > sessions. > > This actually is not the problem. IKE/IPsec implementations have to be > smart enough to handle the negotiations "OOB." So how does racoon talk "OOB"? does it add it's own SA? how does it stop it's own packets from being thrown away at the far end when they are not encrypted correctly for the transport layer ipsec? The IKE connection between 2 endpoints (port 500 on both ends usually) does _not_ get protected by a SA. So there should not be any racoon.conf nor IPsec configuration for these ports. Regardless of tunnel mode or transport mode, implementations need to "poke a hole" in the SPD so to speak to allow for this (and possibly other, like DNS) traffic. Just in case you still need it, here is syntax that works for me for racoon.conf and setkey to setup specific ports/protocols. racoon: sainfo address 100.1.1./24 [23] tcp address 100.1.2.0/24 [any] tcp { } setkey: spdadd 10.1.1.0/24[23] 10.1.2.0/24[any] tcp -P in ipsec esp/tunnel/10.1.1.1-10.1.2.1/require ; MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message