More on broken IPSEC
Tobias Roth
roth at iam.unibe.ch
Sat Feb 21 10:38:10 PST 2004
On Mon, Feb 16, 2004 at 01:52:32PM +0100, Guido van Rooij wrote:
> On Sun, Feb 15, 2004 at 01:37:00AM +0000, Bruce M Simpson wrote:
> > On Sun, Feb 15, 2004 at 12:54:26AM +0100, Tobias Roth wrote:
> > > yes, setkey -D never outputs anything, no SAs get created at all.
> >
> > This would tend to suggest either IPSEC support is missing from the kernel,
> > or there has been a problem when racoon is issuing PF_KEY socket writes.
> >
> > Can you recompile with IPSEC_DEBUG enabled and try to replicate the problem?
>
> IIRC IPSEC currentky has the porblem that if you happen to use require
> in your policies, even the ISAKMP packets do not gte out.
>
> I switched to FAST_IPSEC, which doesnt have this problem.
> You can of course also use "use" in stead of "require".
i did some more tests and have now verified that IPSEC plus "require"
does not work, no packets get sent over the wire. the same setup works
like a charm when i change "require" to "use". this is with 5.2.1-RC2
on both machines.
More information about the freebsd-current
mailing list