From owner-freebsd-stable@FreeBSD.ORG Thu Jul 19 07:29:59 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CD55F16A400 for ; Thu, 19 Jul 2007 07:29:59 +0000 (UTC) (envelope-from andrew@areilly.bpa.nu) Received: from qsrv01ps.mx.bigpond.com (qsrv01ps.mx.bigpond.com [144.140.82.181]) by mx1.freebsd.org (Postfix) with ESMTP id 6190B13C48D for ; Thu, 19 Jul 2007 07:29:59 +0000 (UTC) (envelope-from andrew@areilly.bpa.nu) Received: from oaamta04ps.mx.bigpond.com ([124.188.162.95]) by omta04ps.mx.bigpond.com with ESMTP id <20070719064614.LSBS1991.omta04ps.mx.bigpond.com@oaamta04ps.mx.bigpond.com> for ; Thu, 19 Jul 2007 06:46:14 +0000 Received: from areilly.bpa.nu ([124.188.162.95]) by oaamta04ps.mx.bigpond.com with ESMTP id <20070719064614.ZCUW20226.oaamta04ps.mx.bigpond.com@areilly.bpa.nu> for ; Thu, 19 Jul 2007 06:46:14 +0000 Received: (qmail 96355 invoked by uid 501); 19 Jul 2007 06:46:14 -0000 Date: Thu, 19 Jul 2007 16:46:14 +1000 From: Andrew Reilly To: freebsd-stable@freebsd.org Message-ID: <20070719064614.GA96133@duncan.reilly.home> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Cc: delta@lackas.net Subject: ports/security/vpnc vs built-in IPSec? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 07:29:59 -0000 Hi there, I used ports/security/vpnc with some success some time ago, but then stopped because I didn't need it. Since then I've upgraded my -STABLE many times, and portupgrade has upgraded vpnc at least once, and now it doesn't seem to work anymore. I've been poking it quite vigerously, this afternoon, without much success: I can start it from the command line, with debugging turned on and no-disconnect from the control terminal, and can see from the debug trace that connection, authentication and network route setup all seem perfect. Just no packets ever seem to get through the tun0 link. Now, I remember from long ago that vpnc does not like IPSec in the kernel, because (from memory) the kernel gets to the esp packets before vpnc (which handles them in user-space), and the wrong thing happens. The difference, now, seems to be that there is no longer a config option to disable IPSEC. Or is there? Is there any way to disable kernel IPSEC in 6-STABLE? There doesn't seem to be anything in kldstat to indicate that any ipsec foo has been dynamically loaded. Indeed, there doesn't seem to be anything in sysctl -a relating to ipsec either: does that mean that it somehow *is* disabled? Any other thoughts on how to improve my situation? Cheers, -- Andrew