From owner-freebsd-security  Mon Jul 15 22:41:26 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 067BE37B400
	for <freebsd-security@FreeBSD.ORG>; Mon, 15 Jul 2002 22:41:23 -0700 (PDT)
Received: from papa.tanu.org (kame195.kame.net [203.178.141.195])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3D58843E31
	for <freebsd-security@FreeBSD.ORG>; Mon, 15 Jul 2002 22:41:22 -0700 (PDT)
	(envelope-from sakane@kame.net)
Received: from localhost ([2001:218:1e1f:40:260:1dff:fe21:f766])
	by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g6G5jhn84992;
	Tue, 16 Jul 2002 14:45:44 +0900 (JST)
	(envelope-from sakane@kame.net)
To: nick@netdot.net
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Racoon problems with 4.6-STABLE
In-Reply-To: Your message of "Mon, 15 Jul 2002 15:28:08 -0700"
	<20020715222808.GE14733@netdot.net>
References: <20020715222808.GE14733@netdot.net>
X-Mailer: Cue version 0.6 (020620-1817/sakane)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Message-Id: <20020716144135H.sakane@kame.net>
Date: Tue, 16 Jul 2002 14:41:35 +0900
From: Shoichi Sakane <sakane@kame.net>
X-Dispatcher: imput version 20000228(IM140)
Lines: 17
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> I'm having problems with racoon since upgrading from 4.5-S to 4.6-S.
> 
> I had to kill routed, it was causing the routing table to be updated many
> times per second and flooding my racoon logs.  This behavior seems to be
> new after the upgrade.

when racoon is running on a router or ip addresses are static,
you should configure racoon not to get ip addresses dynamically.
that is to use listen directive.

> A worse problem, however, is that racoon doesn't seem to add all the SAD
> entries it negotiates to the kernel.  The result is messages like:
> 
> Jul 15 15:22:23 port /kernel: IPv4 AH input: no key association found for spi 207489362

racoon seems busy to process PF_ROUTE message.  i think it will be solved
when you configure racoon as i proposed.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message