Re: ports/security/vpnc vs built-in IPSec?


Andrew Reilly wrote:
Hi there,

I used ports/security/vpnc with some success some time ago, but
then stopped because I didn't need it. Since then I've
upgraded my -STABLE many times, and portupgrade has upgraded
vpnc at least once, and now it doesn't seem to work anymore.
I've been poking it quite vigerously, this afternoon, without
much success: I can start it from the command line, with
debugging turned on and no-disconnect from the control terminal,
and can see from the debug trace that connection, authentication and
network route setup all seem perfect. Just no packets ever seem
to get through the tun0 link.

I'm running -CURRENT so the situation isnt identical but vpnc works fine
here. this is though NAT with vpnc-0.4.0_1

{root@prawn}#vpnc
add host 80.169.168.42: gateway 192.168.10.2
add net 10.49.11.0: gateway 10.100.223.50
add net 10.44.19.0: gateway 10.100.223.50
VPNC started in background (pid: 24376)...
[~](14:19:30)
{root@prawn}#!ftp
-su: !ftp: event not found
[~](14:19:32)
{root@prawn}#ftp 10.49.11.252
Connected to 10.49.11.252.
220 Access to this system is restricted to authorised users only. If you
are not authorised please disconnect now. All transfers are logged.
Name (10.49.11.252:jhary): ^C

[~](14:20:07)
{root@prawn}#vpnc-disconnect
Terminating vpnc daemon (pid: 24376)



Now, I remember from long ago that vpnc does not like IPSec in
the kernel, because (from memory) the kernel gets to the esp
packets before vpnc (which handles them in user-space), and the
wrong thing happens. The difference, now, seems to be that
there is no longer a config option to disable IPSEC. Or is
there?

Is there any way to disable kernel IPSEC in 6-STABLE?

Its not enabled in GENERIC, so you wont have IPSEC Unless you have built
a custom kernel.

Cant offer much beyond that though I'm afraid. Has it setup the routing
correctly?

sorry i cant help more,
Vince


There doesn't seem to be anything in kldstat to indicate that
any ipsec foo has been dynamically loaded. Indeed, there
doesn't seem to be anything in sysctl -a relating to ipsec
either: does that mean that it somehow *is* disabled?

Any other thoughts on how to improve my situation?

Cheers,




_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • ports/security/vpnc vs built-in IPSec?
    ... I used ports/security/vpnc with some success some time ago, ... vpnc at least once, and now it doesn't seem to work anymore. ... the kernel, because the kernel gets to the esp ... there is no longer a config option to disable IPSEC. ...
    (freebsd-stable)
  • Re: Cisco PIX/ASA VPN client
    ... for this purpose. ... Do you have options IPSEC in your kernel? ... vpnc from sending/receiving the encapsulated packets. ...
    (freebsd-current)
  • Re: Attacks on IPsec
    ... > group disown what is only now starting to be deployed. ... (which in turn implies replacing everybody's kernel). ... advantage over end-to-end ipsec ... ... communicating for the first time with a complete stranger (aka the ...
    (sci.crypt)
  • Debugging with memguard...
    ... I'm trying to track down a memory issue with IPsec in CURRENT. ... PS Kernel Config attached but it's not very interesting I think. ... # Power management support ...
    (freebsd-current)
  • Potential IPSec DoS/Kernel Panic with 2.6.13
    ... I've found what I believe is a potential DoS condition in IPSec using Debian ... Custom Linux kernel 2.6.13 ... This oversize ping packet seems to repeatedly crash the ...
    (Linux-Kernel)