Date: Mon, 16 Feb 2004 09:29:25 -0600 From: Craig Boston <craig@xfoil.gank.org> To: freebsd-current@freebsd.org Cc: Tobias Roth <roth@iam.unibe.ch> Subject: Re: state of ipsec Message-ID: <200402160929.25625.craig@xfoil.gank.org> In-Reply-To: <20040216125232.GA64059@gvr.gvr.org> References: <20040214174144.GA13215@speedy.unibe.ch> <20040215013700.GC19592@saboteur.dek.spc.org> <20040216125232.GA64059@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 16 February 2004 6:52 am, Guido van Rooij wrote: > IIRC IPSEC currentky has the porblem that if you happen to use require > in your policies, even the ISAKMP packets do not gte out. > > I switched to FAST_IPSEC, which doesnt have this problem. > You can of course also use "use" in stead of "require". One workaround that solved it for me is to modify your IPSEC policy and insert something like this at the top: spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out ipsec esp/transport//default; spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in ipsec esp/transport//default; If that's at the top before anything else, it should override the policy for ISAKMP packets and get things working again without having to fall back to 'use'. A similar entry should be possible for IPv6 as well if you need that. On a somewhat related topic, has anyone encountered panics when the interface that racoon is watching is destroyed (say, gif0)? This is on 5.2-RELEASE. I'll try to get a dump if it happens again... Craig
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402160929.25625.craig>