IPSec and Racoon between 5.4 and 4.11
Daren Russell
darenr at end-design.co.uk
Tue May 17 01:37:29 PDT 2005
Mike Tancsa wrote:
> On Mon, 16 May 2005 12:51:50 +0100, in sentex.lists.freebsd.questions
> you wrote:
>
>
>>Hi,
>>
>>Has anybody got 5.4 <-> 4.11 talking in this config, or does anybody
>>know of any pitfalls because of kernel changes?
>
>
> There should not be any issues as I have 90+ RELENG4 boxes deployed
> talking to a 5.4 server and a dozen RELENG_5 boxes talking to 2
> RELENG_4 servers generally with out issue. The one thing we run into
> from time to time is the issue of net.key.prefered_oldsa=1 on
> FAST_IPSEC on RELENG_4. But other than that, it works. What issues
> are you running into ? Did you enable debug logging in racoon ? What
> state do the tunnels get to ? i.e what does setkey -D show ?
>
I didn't think there should be.
A basic tunnel (without any encryption) works fine. As soon as
ipsec_enable is set in rc.conf, it fails.
setkey -D shows No SAD entries.
When racoon is restarted, the debug log shows (I believe, I honestly
don't understand half of what it logs!) that the /etc/ipsec.conf entries
are read:
(I'm on a different PC, so this is copied from the screen)
racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0x7fffffffe940:
192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x568810:
192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
with similiar on the second server (althought the IP's are the opposite
way round)
If I start a ping from 192.168.1.254 -> 192.168.0.254, the receiving
machine get's an 'Invalid length of payload' error, whilst the sending
machine is getting an 'phase 2 negotiation failed due to time up waiting
for phase1. ESP 62.x.x.125->82.x.x.141' (The ip's shown are what they
should be.) I can probably transfer entire parts of the log files if
required, but at the moment, both machines are isolated.
A further point I've discovered having left them running for a while, is
the racoon on the AMD64 keeps crashing and dumping core (although I
don't know what to do with that!). Maybe there is an issue with racoon
on 64bit? Maybe I should try re-installing with a standard i386 arch.
(Last ditch!)
Both racoon's are 'racoon-2005-0510a' BTW.
Thanks
Daren
> ---Mike
> --------------------------------------------------------
> Mike Tancsa, Sentex communications http://www.sentex.net
> Providing Internet Access since 1994
> mike at sentex.net, (http://www.tancsa.com)
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list