ipsec/racoon broken

Robert Watson rwatson at freebsd.org
Wed Jul 28 18:01:11 PDT 2004 

On Thu, 29 Jul 2004, Michael Lestinsky wrote:

> for some time now my IPsec connection over my wireless network doesn't
> seem to work. I've enabled debugging in racoon (it's used on both ends
> of the connection) and get this in the log: 

Could you try editing src/sys/net/raw_cb.h and editing RAWSNDQ and RAWRCVQ
to set both values to 32768?  This probably won't fix it, but it might be
an easy way to see if we're looking at the size of a pfkey packet
exceeding the available socket buffer space.

Question: are you using KAME IPSEC or FAST_IPSEC?

Another thing to try: could you use ktrace to identify the system call and
arguments generating the ENOBUFS return value?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Principal Research Scientist, McAfee Research


> 
> 2004-07-29 00:37:56: DEBUG: oakley.c:436:oakley_compute_keymat(): KEYMAT computed.
> 2004-07-29 00:37:56: DEBUG: isakmp_quick.c:649:quick_i2send(): call pk_sendupdate
> 2004-07-29 00:37:56: DEBUG: algorithm.c:513:alg_ipsec_encdef(): encription(3des)
> 2004-07-29 00:37:56: DEBUG: algorithm.c:556:alg_ipsec_hmacdef(): hmac(hmac_sha1)
> 2004-07-29 00:37:56: DEBUG: pfkey.c:1061:pk_sendupdate(): call pfkey_send_update
> 2004-07-29 00:37:56: ERROR: pfkey.c:1076:pk_sendupdate(): libipsec failed send update (No buffer space available)
> 2004-07-29 00:37:56: ERROR: isakmp_quick.c:651:quick_i2send(): pfkey update failed.
> 2004-07-29 00:37:56: ERROR: isakmp.c:750:quick_main(): failed to process packet.
> 2004-07-29 00:37:56: ERROR: isakmp.c:541:isakmp_main(): phase2 negotiation failed.
> 
> Can someone help me here?
> 
> Thanks,
> Michael
> 
> -- 
> "Einige Hersteller verstehen sich gut auf Vermarktung und Vaporware -
> andere Firmen liefern."
>     -- CNet
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>

More information about the freebsd-current mailing list