Re: IPSec troubles
From: Bjoern A. Zeeb (bzeeb-lists_at_lists.zabbadoz.net)
Date: 03/30/04
- Previous message: Ruslan Ermilov: "Re: Disabling VLAN_HWTAGGING"
- In reply to: Crist J. Clark: "Re: IPSec troubles"
- Next in thread: Cyrill Rüttimann: "Re: IPSec troubles"
- Reply: Cyrill Rüttimann: "Re: IPSec troubles"
- Reply: Crist J. Clark: "Re: IPSec troubles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Mar 2004 11:22:08 +0000 (UTC) To: "Crist J. Clark" <cjc@freebsd.org>
On Mon, 29 Mar 2004, Crist J. Clark wrote:
> > I have troubles setting up an IPSec Host-to-Host connection between
> > FreeBSD 5.2.1 and MacOS X 10.3.3:
>
> Last I knew, 5.2.1 still had broken IPsec. Specifically, the system
> tries to apply the IPsec policy to the IKE traffic giving us a chicken
> and egg problem.
you can "exclude" IKE traffic in the SPD manually. I am still unsure
if this IS a bug. Would need to go through RFCs in detail.
Just skipped through 2401 and what I have found is:
In host systems, applications MAY be allowed to select what security
processing is to be applied to the traffic they generate and consume.
and
The SPD is used to control the flow of ALL traffic through an IPsec
system, including security and key management traffic (e.g., ISAKMP)
from/to entities behind a security gateway. This means that ISAKMP
traffic must be explicitly accounted for in the SPD, else it will be
discarded.
So if I get the problem right racoon is unable to tell the kernel
that it's traffic should 'bypass' IPSec processing ?
If this is the remaining problem apart from the yet known (where KAME
people cannot find the time to review at the moment) I may look into
this; have setup my wireless connection on a 5.2.1 notebook (being
updated to HEAD soon) to use IPSec lately so I have a 'testbed' now.
-- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Ruslan Ermilov: "Re: Disabling VLAN_HWTAGGING"
- In reply to: Crist J. Clark: "Re: IPSec troubles"
- Next in thread: Cyrill Rüttimann: "Re: IPSec troubles"
- Reply: Cyrill Rüttimann: "Re: IPSec troubles"
- Reply: Crist J. Clark: "Re: IPSec troubles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
