From owner-freebsd-stable@FreeBSD.ORG Thu Jul 19 13:22:30 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AB07316A400 for ; Thu, 19 Jul 2007 13:22:30 +0000 (UTC) (envelope-from jhary@unsane.co.uk) Received: from unsane.co.uk (www.unsane.co.uk [85.233.185.162]) by mx1.freebsd.org (Postfix) with ESMTP id 1924013C4CB for ; Thu, 19 Jul 2007 13:22:29 +0000 (UTC) (envelope-from jhary@unsane.co.uk) Received: from prawn.unsane.co.uk (150.117-84-212.staticip.namesco.net [212.84.117.150]) (authenticated bits=0) by unsane.co.uk (8.14.0/8.14.0) with ESMTP id l6JDLO0N003850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Jul 2007 14:21:25 +0100 (BST) (envelope-from jhary@unsane.co.uk) Message-ID: <469F6589.9070300@unsane.co.uk> Date: Thu, 19 Jul 2007 14:22:17 +0100 From: Vince User-Agent: Thunderbird 2.0.0.4 (X11/20070717) MIME-Version: 1.0 To: Andrew Reilly References: <20070719064614.GA96133@duncan.reilly.home> In-Reply-To: <20070719064614.GA96133@duncan.reilly.home> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org, delta@lackas.net Subject: Re: ports/security/vpnc vs built-in IPSec? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 13:22:30 -0000 Andrew Reilly wrote: > Hi there, > > I used ports/security/vpnc with some success some time ago, but > then stopped because I didn't need it. Since then I've > upgraded my -STABLE many times, and portupgrade has upgraded > vpnc at least once, and now it doesn't seem to work anymore. > I've been poking it quite vigerously, this afternoon, without > much success: I can start it from the command line, with > debugging turned on and no-disconnect from the control terminal, > and can see from the debug trace that connection, authentication and > network route setup all seem perfect. Just no packets ever seem > to get through the tun0 link. > I'm running -CURRENT so the situation isnt identical but vpnc works fine here. this is though NAT with vpnc-0.4.0_1 {root@prawn}#vpnc add host 80.169.168.42: gateway 192.168.10.2 add net 10.49.11.0: gateway 10.100.223.50 add net 10.44.19.0: gateway 10.100.223.50 VPNC started in background (pid: 24376)... [~](14:19:30) {root@prawn}#!ftp -su: !ftp: event not found [~](14:19:32) {root@prawn}#ftp 10.49.11.252 Connected to 10.49.11.252. 220 Access to this system is restricted to authorised users only. If you are not authorised please disconnect now. All transfers are logged. Name (10.49.11.252:jhary): ^C [~](14:20:07) {root@prawn}#vpnc-disconnect Terminating vpnc daemon (pid: 24376) > Now, I remember from long ago that vpnc does not like IPSec in > the kernel, because (from memory) the kernel gets to the esp > packets before vpnc (which handles them in user-space), and the > wrong thing happens. The difference, now, seems to be that > there is no longer a config option to disable IPSEC. Or is > there? > > Is there any way to disable kernel IPSEC in 6-STABLE? > Its not enabled in GENERIC, so you wont have IPSEC Unless you have built a custom kernel. Cant offer much beyond that though I'm afraid. Has it setup the routing correctly? sorry i cant help more, Vince > There doesn't seem to be anything in kldstat to indicate that > any ipsec foo has been dynamically loaded. Indeed, there > doesn't seem to be anything in sysctl -a relating to ipsec > either: does that mean that it somehow *is* disabled? > > Any other thoughts on how to improve my situation? > > Cheers, >