Possible IPsec Trouble in 5.2RC?

[Crist J. Clark]

I just upgraded a ThinkPad 600E from RELENG_5_1 to RELENG_5_2. I seem
to be having trouble with my IKE deamon, racoon(8), but I don't think
the problem is with racoon(8), but it may be the FreeBSD KAME IPsec
implementation.

I had had IPsec, with racoon(8) as the IKE daemon, running great under
5.1. When I upgraded to 5.2RC, it no longer functioned. I thought it
may be a compatibility issue, so to eliminate the possibility, I
deinstalled, rebuilt on the 5.2RC system, and reinstalled (just used
'portupgrade -f'). That did not help.

IPsec does work, however. When I manually load up the SAD with
setkey(8), the ESP tunnel comes up and everything is fine.

I think the problem is that the IKE traffic, 500/udp, is not bypassing
the IPsec processing like it should. For example, I try to ping a host
for wwhich the SPD requires an ESP tunnel. Racoon(8)'s log reports
that we are trying to start Phase 1 ISAKMP. However, if I snoop the
wire, no packets are leaving the machine, nor do any counters in the
ipfw(8) output increment as they should for 500/udp traffic. But the
way the 'netstat -s -p ipsec' line, 'outbound packets with no SA
available,' increments is consistent with the packets getting dropped
there. (I should note that the traffic to the other end of the IPsec
tunnel would also go through the tunnel according to the SPD.)

Anyone else seeing this?
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org