Date: Tue, 4 Mar 2008 15:25:16 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Cyrus Rahman <crahman@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: ipv6 + ah + esp Message-ID: <20080304152255.M50685@maildrop.int.zabbadoz.net> In-Reply-To: <9e77bdb50803040649u1876d8d4l9f2b7a4cef5c4b5@mail.gmail.com> References: <9e77bdb50803040649u1876d8d4l9f2b7a4cef5c4b5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Mar 2008, Cyrus Rahman wrote: Hi, > Is there a known problem running ah+esp on ip6? I can set up an > association and run ah+esp just fine on ip4, > and ah or esp work well by themselves in ip6, but I've had no luck > with combining them on ip6. > > I know that ipcomp is documented to be broken but I haven't seen > anything about this problem. This is on 7.0-RELEASE. > > For example this: > > spdadd hostA hostB any -P out ipsec > esp/transport//require ah/transport//require; > spdadd hostB hostA any -P in ipsec > esp/transport//require ah/transport//require; > > results in no exchange but the following messages in syslog: > > snowfall kernel: ip6_output (ipsec): error code 22 > > Taking either ah or esp out of the policy works just fine. 22 is EINVAL. The same error message is there twice in sys/netinet6/ip6_output.c (search for "(ipsec)" w/o the ""). Could you alter them so we can tell them apart, recompile the kernel and file a PR with this information and whether it is the printf after ipsec6_output_trans or after ipsec6_output_tunnel. /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080304152255.M50685>