From owner-freebsd-net@FreeBSD.ORG Tue Mar 30 03:30:09 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E84C416A4CF; Tue, 30 Mar 2004 03:30:09 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id B40A643D5A; Tue, 30 Mar 2004 03:30:09 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id D7A071FF931; Tue, 30 Mar 2004 13:30:08 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id DFDD41FF91D; Tue, 30 Mar 2004 13:30:06 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 6FEC5154E3; Tue, 30 Mar 2004 11:22:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 65618153AA; Tue, 30 Mar 2004 11:22:08 +0000 (UTC) Date: Tue, 30 Mar 2004 11:22:08 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: "Crist J. Clark" In-Reply-To: <20040329214057.GA8711@blossom.cjclark.org> Message-ID: References: <257C203C-8104-11D8-9902-00039303AB38@mac.com> <20040329214057.GA8711@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-net@freebsd.org Subject: Re: IPSec troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 11:30:10 -0000 On Mon, 29 Mar 2004, Crist J. Clark wrote: > > I have troubles setting up an IPSec Host-to-Host connection between > > FreeBSD 5.2.1 and MacOS X 10.3.3: > > Last I knew, 5.2.1 still had broken IPsec. Specifically, the system > tries to apply the IPsec policy to the IKE traffic giving us a chicken > and egg problem. you can "exclude" IKE traffic in the SPD manually. I am still unsure if this IS a bug. Would need to go through RFCs in detail. Just skipped through 2401 and what I have found is: In host systems, applications MAY be allowed to select what security processing is to be applied to the traffic they generate and consume. and The SPD is used to control the flow of ALL traffic through an IPsec system, including security and key management traffic (e.g., ISAKMP) from/to entities behind a security gateway. This means that ISAKMP traffic must be explicitly accounted for in the SPD, else it will be discarded. So if I get the problem right racoon is unable to tell the kernel that it's traffic should 'bypass' IPSec processing ? If this is the remaining problem apart from the yet known (where KAME people cannot find the time to review at the moment) I may look into this; have setup my wireless connection on a 5.2.1 notebook (being updated to HEAD soon) to use IPSec lately so I have a 'testbed' now. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/