Date: Thu, 11 May 2000 00:33:37 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Ville-Pertti Keinonen <will@iki.fi> Cc: hackers@FreeBSD.ORG Subject: Re: ipsec 'replay' syslog error messages after reboot of one host Message-ID: <200005110733.AAA62618@apollo.backplane.com> References: <200005110127.SAA61600@apollo.backplane.com> <863dnplfpw.fsf@not.demophon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:
:dillon@apollo.backplane.com (Matthew Dillon) writes:
:
:> The question is: What am I forgetting to do? Or is this a bug in our
:> IPSEC implementation?
:
:AFAIK this is more or less how it's supposed to work. IPsec is a
:mess. Security associations are not stateless, ESP provides replay
:protection using a sequence number. Replay-prevention is, however,
:optional, and the setkey manual page claims it to be off by default,
:so it could be a bug...you might want to try specifying -r 0
:explicitly.
IPSec isn't well documented, but once I figured out the config
file it didn't seem too bad. I am guessing that replay prevention
is turned on by default, but specifying '-f cyclic-seq' in the
setkey config file at the appropriate place appears to solve the
problem. I haven't tried testing with packet loss to see if it
can survive a noisy network.
I had to fix up /etc/rc.network a little to load the ipsec rules
at the appropriate point (just after the interface and ipfw setup,
but before any services (like NFS) are run). I am going to put the
(relatively simple) patch for rc.network up for a quick review and
then commit it along with an example file and a reference to the
example file in the man page.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005110733.AAA62618>