Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Jan 2015 23:40:36 +0000
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Chris Watson <bsdunix44@gmail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: IPSec and racoon issue...
Message-ID:  <620F82BB-1D53-4F2A-9C67-51D5EC3C3144@lists.zabbadoz.net>
In-Reply-To: <CAHnbxSQuFqHqLLP%2Bh62mChN4hnP9gkWb%2BtKFoeYpAxoo9zqpHw@mail.gmail.com>
References:  <CAHnbxSQuFqHqLLP%2Bh62mChN4hnP9gkWb%2BtKFoeYpAxoo9zqpHw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On 01 Jan 2015, at 04:36 , Chris Watson <bsdunix44@gmail.com> wrote:
>=20
> So I have been running a stable ipsec tunnel between my MacBook Pro =
and a
> FreeBSD 10-stable server, I just rebuilt world today and raccoon has =
become
> pissy and refuses to start, and as usual with ipsec, debugging it is =
like
> winning gold in the pain olympics. So here's the issue, my working =
config
> has not changed at all. I'm simply running a new FreeBSD 10-stable =
r276472
> world + kernel. I have looked all over at UPDATING, source commits to
> stable, google, etc and I can=E2=80=99t figure this error out.

Do you know the old revision as well, to limit the search time?


> Anytime I try to start racoon it looks like it starts but it doesn't. =
The
> only error I can get is to run it with "racoon -F -ddd -f
> /usr/local/etc/racoon/racoon.conf", and I get the following
>=20
> "ERROR: libipsec failed pfkey open (Address family not supported by
> protocol family)
> racoon: failed to initialize pfkey socket"
>=20
> Doing a "setkey -F" produces "pfkey_open: Address family not supported =
by
> protocol family=E2=80=9D


That smells like a raw socket issue to me.   But the only changes there =
I can remember is that someone changed the source address selection but =
nothing that would trigger this.

You could turn net.inet.ipsec.debug to 0xff and check that there is =
nothing in dmesg -a after trying to start racoon, just to rule that out.

Also could you paste the output of `sysctl -a | grep ipsec` and `sysctl =
-a net.key` just trying to make sure =E2=80=A6 ;-)


=E2=80=94=20
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
 beneath the bitterness of their trial  had they not found a friend."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?620F82BB-1D53-4F2A-9C67-51D5EC3C3144>