Re: IPSec troubles

• Previous message: Steven Stremciuc: "Re: Looking for switch recommendations ..."
• In reply to: Bjoern A. Zeeb: "Re: IPSec troubles"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 30 Mar 2004 15:46:48 -0800
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>

On Tue, Mar 30, 2004 at 11:22:08AM +0000, Bjoern A. Zeeb wrote:
> On Mon, 29 Mar 2004, Crist J. Clark wrote:
>
> > > I have troubles setting up an IPSec Host-to-Host connection between
> > > FreeBSD 5.2.1 and MacOS X 10.3.3:
> >
> > Last I knew, 5.2.1 still had broken IPsec. Specifically, the system
> > tries to apply the IPsec policy to the IKE traffic giving us a chicken
> > and egg problem.
>
> you can "exclude" IKE traffic in the SPD manually. I am still unsure
> if this IS a bug. Would need to go through RFCs in detail.

[snip RFC2401 quotes]

I don't think we do. I mispoke... er, typed. IPsec _policy_ must be
applied to every packet (or socket). However, IKE traffic should skip
IPsec _processing,_ i.e. the IPsec policy should dictate the IKE
traffic skip IPsec processing.

> So if I get the problem right racoon is unable to tell the kernel
> that it's traffic should 'bypass' IPSec processing ?

Yes. Racoon can _no longer_ tell the kernel to bypass using KAME
IPsec. This used to work. A working racoon binary stopped working as
of a kernel upgrade between 5.<mumble-mumble> and 5.<mumble-mumble>.
Racoon will still work fine with FAST_IPSEC.

Racoon tells the kernel that the IKE socket should be 'bypassed' in
IPsec processing in the racoon/sockmisc.c:setsockopt_bypass function.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Steven Stremciuc: "Re: Looking for switch recommendations ..."
• In reply to: Bjoern A. Zeeb: "Re: IPSec troubles"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Win2K Security & Firewall - long post ... >> look at implementing an IPSec policy on Win2K for extra security. ... >> Today I went a stage further and did a fresh installation of Win2K, ... (comp.security.firewalls) Re: IPSec: Network sooo slooooow ... but to secure all other traffic. ... > configure an ipsec policy in the domain you must exempt domain controllers ... > from ipsec negotiation. ... (microsoft.public.windows.server.networking) Re: OU GPO Corrupts 2003 Servers only?? ... have impact on the Servers OU. ... then you are looking at the effect of the default behaviors of IPsec ... In W2k3 the IPsec Policy Agent will block inbound during the boot ... inbound and outbound TCP/IP network traffic that is not permitted by ... (microsoft.public.windows.group_policy) Win2K Security & Firewall - long post ... No security measures were taken except to install an IPSec ... I wanted the installation to ... Why have MS not urged people to implement an IPSec policy as a defence ... (comp.security.firewalls) Re: Firewall für 2003 IIS Webserver ... aber in generellen Firewall Newsgroups kann man sich ... Server mach Linux drauf" etc. ... das durch die dort beschriebene IPSec Policy alle ... (microsoft.public.de.inetserver.iis)