IPSec troubles
Crist J. Clark
cristjc at comcast.net
Tue Mar 30 15:47:03 PST 2004
On Tue, Mar 30, 2004 at 11:22:08AM +0000, Bjoern A. Zeeb wrote:
> On Mon, 29 Mar 2004, Crist J. Clark wrote:
>
> > > I have troubles setting up an IPSec Host-to-Host connection between
> > > FreeBSD 5.2.1 and MacOS X 10.3.3:
> >
> > Last I knew, 5.2.1 still had broken IPsec. Specifically, the system
> > tries to apply the IPsec policy to the IKE traffic giving us a chicken
> > and egg problem.
>
> you can "exclude" IKE traffic in the SPD manually. I am still unsure
> if this IS a bug. Would need to go through RFCs in detail.
[snip RFC2401 quotes]
I don't think we do. I mispoke... er, typed. IPsec _policy_ must be
applied to every packet (or socket). However, IKE traffic should skip
IPsec _processing,_ i.e. the IPsec policy should dictate the IKE
traffic skip IPsec processing.
> So if I get the problem right racoon is unable to tell the kernel
> that it's traffic should 'bypass' IPSec processing ?
Yes. Racoon can _no longer_ tell the kernel to bypass using KAME
IPsec. This used to work. A working racoon binary stopped working as
of a kernel upgrade between 5.<mumble-mumble> and 5.<mumble-mumble>.
Racoon will still work fine with FAST_IPSEC.
Racoon tells the kernel that the IKE socket should be 'bypassed' in
IPsec processing in the racoon/sockmisc.c:setsockopt_bypass function.
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-net
mailing list