Date: Mon, 12 Aug 2002 22:26:19 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Julian Elischer <julian@vicor.com> Cc: net@FreeBSD.ORG Subject: Re: Racoon question Message-ID: <20020813052619.GD1675@blossom.cjclark.org> In-Reply-To: <3D583B58.3A132F@vicor.com> References: <3D583B58.3A132F@vicor.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 12, 2002 at 03:48:56PM -0700, Julian Elischer wrote:
> I have a (probably silly) question about racoon..
>
> I have racoon working to some extent.
> I have it working in transport mode.
>
> However I notice that if I have a problem on one system it sometimes
> needs to wait until the running SA has expired until things can be
> restarted.. For example if one system is rebooted, I need to reset the
> racoon on the
> other system and clear SAs etc. before things can resync.
Yeah, known issue which comes up from time to time. It is a common
headache in IPsec. 'Coulda sworn there was a sysctl(8) to change this
behavior, but I can't find it. Nor can I Google anything except other
{Free,Net,Open}BSD and Linux people complaining about the
problem. This IETF draft explains some of the issues,
http://search.ietf.org/internet-drafts/draft-spencer-ipsec-ike-implementation-02.txt
Maybe you can find some of the solutions that have been offered. It's
been discussed on various lists (-net, -security, and -questions) many
times.
But just so you know,
> It occured to me that this may be because the racoons need to talk
> across the
> transport connection that is toasted so it's a catch-22.
>
> I tried setting up port 500 as an excpetion using 'none'
> in /etc/ipsec.conf but that seems to confuse things.. it seems unable to
> decide for
> any given connection whether
> to use the [500] or [any]
> sessions.
This actually is not the problem. IKE/IPsec implementations have to be
smart enough to handle the negotiations "OOB."
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020813052619.GD1675>