From owner-freebsd-net Mon Apr 30 17: 6:19 2001 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B69D937B423 for ; Mon, 30 Apr 2001 17:06:15 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id EE6304B0B; Tue, 1 May 2001 09:06:08 +0900 (JST) To: snap-users@kame.net Cc: Shoichi Sakane , freebsd-net@freebsd.org In-reply-to: gunther's message of Mon, 30 Apr 2001 23:02:18 GMT. <3AEDEEFA.60DD4AC4@aurora.regenstrief.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: (KAME-snap 4569) Re: KAME SPD bug, please try and confirm ... From: itojun@iijlab.net Date: Tue, 01 May 2001 09:06:08 +0900 Message-ID: <20857.988675568@itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Earlier last week I wrote: >> I just built and tested the latest KAME-SNAP, and it appears as if >> the two ipsec tunnels work together now. I will have a final word >> on this later tomorrow, but for now it looks as if this problem >> requires no further action on your part. > >Unfortunately I found out that the problem still exists deep down, >it's just harder to reproduce. It comes when I try to use multiple >SPD rules to route packets into the same ESP tunnel. my guess is that you have some issue with routing setup. last time, you had some wacky static routes to help source address selection (i do not really recommend that). do you still have them? if so, please show them to us (to mailing list) with in the script. >Since my project is in jeopardy because of this bug, I have >now engaged plan B, which is to use IPsec in transport mode >and one gif tunnel connecting each sattelite with the home >gateway. I can then use as many static routes as I like to >add ingress rules for the tunnel. I am convinced this works >because the SPD entries are much simpler for this. However, on >the way discovered another weirdness similar to the above. >Take the above setkey scripts and since the additional >tunnel ingress and egress rules do not work, let's delete >them and use a gif-tunnel hack instead. On the central home >gateway I would say: you are encapsulating twice with the "gif and IPsec tunnel mode" setup, and the setup won't interoperate with other box. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message