Date: Thu, 19 Jul 2007 14:22:17 +0100 From: Vince <jhary@unsane.co.uk> To: Andrew Reilly <andrew-freebsd@areilly.bpc-users.org> Cc: freebsd-stable@freebsd.org, delta@lackas.net Subject: Re: ports/security/vpnc vs built-in IPSec? Message-ID: <469F6589.9070300@unsane.co.uk> In-Reply-To: <20070719064614.GA96133@duncan.reilly.home> References: <20070719064614.GA96133@duncan.reilly.home>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Reilly wrote:
> Hi there,
>
> I used ports/security/vpnc with some success some time ago, but
> then stopped because I didn't need it. Since then I've
> upgraded my -STABLE many times, and portupgrade has upgraded
> vpnc at least once, and now it doesn't seem to work anymore.
> I've been poking it quite vigerously, this afternoon, without
> much success: I can start it from the command line, with
> debugging turned on and no-disconnect from the control terminal,
> and can see from the debug trace that connection, authentication and
> network route setup all seem perfect. Just no packets ever seem
> to get through the tun0 link.
>
I'm running -CURRENT so the situation isnt identical but vpnc works fine
here. this is though NAT with vpnc-0.4.0_1
{root@prawn}#vpnc
add host 80.169.168.42: gateway 192.168.10.2
add net 10.49.11.0: gateway 10.100.223.50
add net 10.44.19.0: gateway 10.100.223.50
VPNC started in background (pid: 24376)...
[~](14:19:30)
{root@prawn}#!ftp
-su: !ftp: event not found
[~](14:19:32)
{root@prawn}#ftp 10.49.11.252
Connected to 10.49.11.252.
220 Access to this system is restricted to authorised users only. If you
are not authorised please disconnect now. All transfers are logged.
Name (10.49.11.252:jhary): ^C
[~](14:20:07)
{root@prawn}#vpnc-disconnect
Terminating vpnc daemon (pid: 24376)
> Now, I remember from long ago that vpnc does not like IPSec in
> the kernel, because (from memory) the kernel gets to the esp
> packets before vpnc (which handles them in user-space), and the
> wrong thing happens. The difference, now, seems to be that
> there is no longer a config option to disable IPSEC. Or is
> there?
>
> Is there any way to disable kernel IPSEC in 6-STABLE?
>
Its not enabled in GENERIC, so you wont have IPSEC Unless you have built
a custom kernel.
Cant offer much beyond that though I'm afraid. Has it setup the routing
correctly?
sorry i cant help more,
Vince
> There doesn't seem to be anything in kldstat to indicate that
> any ipsec foo has been dynamically loaded. Indeed, there
> doesn't seem to be anything in sysctl -a relating to ipsec
> either: does that mean that it somehow *is* disabled?
>
> Any other thoughts on how to improve my situation?
>
> Cheers,
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?469F6589.9070300>