From owner-freebsd-current@FreeBSD.ORG Mon Feb 16 07:29:33 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2670216A4CE for ; Mon, 16 Feb 2004 07:29:33 -0800 (PST) Received: from ion.gank.org (ion.gank.org [69.55.238.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CA1943D31 for ; Mon, 16 Feb 2004 07:29:33 -0800 (PST) (envelope-from craig@xfoil.gank.org) Received: from localhost (ion.gank.org [69.55.238.164]) by ion.gank.org (mail) with ESMTP id 77E4B2B4D7; Mon, 16 Feb 2004 09:29:31 -0600 (CST) Received: from ion.gank.org ([69.55.238.164]) by localhost (ion.gank.org [69.55.238.164]) (amavisd-new, port 10024) with LMTP id 29544-09-2; Mon, 16 Feb 2004 09:29:30 -0600 (CST) Received: from aldaris.auir.gank.org (arbiter.gank.org [64.81.113.221]) by ion.gank.org (mail) with ESMTP id 382E62B2FC; Mon, 16 Feb 2004 09:29:30 -0600 (CST) From: Craig Boston To: freebsd-current@freebsd.org Date: Mon, 16 Feb 2004 09:29:25 -0600 User-Agent: KMail/1.6 References: <20040214174144.GA13215@speedy.unibe.ch> <20040215013700.GC19592@saboteur.dek.spc.org> <20040216125232.GA64059@gvr.gvr.org> In-Reply-To: <20040216125232.GA64059@gvr.gvr.org> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200402160929.25625.craig@xfoil.gank.org> X-Virus-Scanned: by amavisd-new at gank.org cc: Tobias Roth Subject: Re: state of ipsec X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2004 15:29:33 -0000 On Monday 16 February 2004 6:52 am, Guido van Rooij wrote: > IIRC IPSEC currentky has the porblem that if you happen to use require > in your policies, even the ISAKMP packets do not gte out. > > I switched to FAST_IPSEC, which doesnt have this problem. > You can of course also use "use" in stead of "require". One workaround that solved it for me is to modify your IPSEC policy and insert something like this at the top: spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out ipsec esp/transport//default; spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in ipsec esp/transport//default; If that's at the top before anything else, it should override the policy for ISAKMP packets and get things working again without having to fall back to 'use'. A similar entry should be possible for IPv6 as well if you need that. On a somewhat related topic, has anyone encountered panics when the interface that racoon is watching is destroyed (say, gif0)? This is on 5.2-RELEASE. I'll try to get a dump if it happens again... Craig