Date: Tue, 17 May 2005 09:33:40 +0100 From: Daren Russell <darenr@end-design.co.uk> To: freebsd-questions@freebsd.org Subject: Re: IPSec and Racoon between 5.4 and 4.11 Message-ID: <d6ca7k$58s$1@sea.gmane.org> In-Reply-To: <23gi81pattnnan1rlv8uc0dva1ken5r8cj@4ax.com> References: <d6a1fg$pf1$1@sea.gmane.org> <23gi81pattnnan1rlv8uc0dva1ken5r8cj@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > On Mon, 16 May 2005 12:51:50 +0100, in sentex.lists.freebsd.questions > you wrote: > > >>Hi, >> >>Has anybody got 5.4 <-> 4.11 talking in this config, or does anybody >>know of any pitfalls because of kernel changes? > > > There should not be any issues as I have 90+ RELENG4 boxes deployed > talking to a 5.4 server and a dozen RELENG_5 boxes talking to 2 > RELENG_4 servers generally with out issue. The one thing we run into > from time to time is the issue of net.key.prefered_oldsa=1 on > FAST_IPSEC on RELENG_4. But other than that, it works. What issues > are you running into ? Did you enable debug logging in racoon ? What > state do the tunnels get to ? i.e what does setkey -D show ? > I didn't think there should be. A basic tunnel (without any encryption) works fine. As soon as ipsec_enable is set in rc.conf, it fails. setkey -D shows No SAD entries. When racoon is restarted, the debug log shows (I believe, I honestly don't understand half of what it logs!) that the /etc/ipsec.conf entries are read: (I'm on a different PC, so this is copied from the screen) racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0x7fffffffe940: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x568810: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in with similiar on the second server (althought the IP's are the opposite way round) If I start a ping from 192.168.1.254 -> 192.168.0.254, the receiving machine get's an 'Invalid length of payload' error, whilst the sending machine is getting an 'phase 2 negotiation failed due to time up waiting for phase1. ESP 62.x.x.125->82.x.x.141' (The ip's shown are what they should be.) I can probably transfer entire parts of the log files if required, but at the moment, both machines are isolated. A further point I've discovered having left them running for a while, is the racoon on the AMD64 keeps crashing and dumping core (although I don't know what to do with that!). Maybe there is an issue with racoon on 64bit? Maybe I should try re-installing with a standard i386 arch. (Last ditch!) Both racoon's are 'racoon-2005-0510a' BTW. Thanks Daren > ---Mike > -------------------------------------------------------- > Mike Tancsa, Sentex communications http://www.sentex.net > Providing Internet Access since 1994 > mike@sentex.net, (http://www.tancsa.com) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d6ca7k$58s$1>