state of ipsec
Craig Boston
craig at xfoil.gank.org
Mon Feb 16 07:29:33 PST 2004
On Monday 16 February 2004 6:52 am, Guido van Rooij wrote:
> IIRC IPSEC currentky has the porblem that if you happen to use require
> in your policies, even the ISAKMP packets do not gte out.
>
> I switched to FAST_IPSEC, which doesnt have this problem.
> You can of course also use "use" in stead of "require".
One workaround that solved it for me is to modify your IPSEC policy and insert
something like this at the top:
spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P out ipsec
esp/transport//default;
spdadd 0.0.0.0/0[500] 0.0.0.0/0[500] any -P in ipsec
esp/transport//default;
If that's at the top before anything else, it should override the policy for
ISAKMP packets and get things working again without having to fall back to
'use'. A similar entry should be possible for IPv6 as well if you need that.
On a somewhat related topic, has anyone encountered panics when the interface
that racoon is watching is destroyed (say, gif0)? This is on 5.2-RELEASE.
I'll try to get a dump if it happens again...
Craig
More information about the freebsd-current
mailing list