From owner-freebsd-net  Mon Aug 12 23: 0:28 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D1C4537B405; Mon, 12 Aug 2002 23:00:20 -0700 (PDT)
Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3239343E4A; Mon, 12 Aug 2002 23:00:20 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from InterJet.elischer.org ([12.232.206.8])
          by sccrmhc02.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020813060012.DQGT221.sccrmhc02.attbi.com@InterJet.elischer.org>;
          Tue, 13 Aug 2002 06:00:12 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id WAA14802;
	Mon, 12 Aug 2002 22:42:43 -0700 (PDT)
Date: Mon, 12 Aug 2002 22:42:42 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: Julian Elischer <julian@vicor.com>, net@FreeBSD.ORG
Subject: Re: Racoon question
In-Reply-To: <20020813052619.GD1675@blossom.cjclark.org>
Message-ID: <Pine.BSF.4.21.0208122240080.13960-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org



On Mon, 12 Aug 2002, Crist J. Clark wrote:

> On Mon, Aug 12, 2002 at 03:48:56PM -0700, Julian Elischer wrote:
> 
> Yeah, known issue which comes up from time to time. It is a common
> headache in IPsec. 'Coulda sworn there was a sysctl(8) to change this
> behavior, but I can't find it. Nor can I Google anything except other
> {Free,Net,Open}BSD and Linux people complaining about the
> problem. This IETF draft explains some of the issues,
> 
>   http://search.ietf.org/internet-drafts/draft-spencer-ipsec-ike-implementation-02.txt
> 
> Maybe you can find some of the solutions that have been offered. It's
> been discussed on various lists (-net, -security, and -questions) many
> times.
> 
> But just so you know,
> 
> > It occured to me that this may be because the racoons need to talk
> > across the 
> > transport connection that is toasted so it's a catch-22.
> >
> > I tried setting up port 500 as an excpetion using 'none'
> > in /etc/ipsec.conf but that seems to confuse things.. it seems unable to
> > decide for 
> > any given connection whether
> > to use the [500] or [any]
> > sessions.
> 
> This actually is not the problem. IKE/IPsec implementations have to be
> smart enough to handle the negotiations "OOB."

So how does racoon talk "OOB"? does it add it's own SA?
how does it stop it's own packets from being thrown away at  the 
far end when they are not encrypted correctly for the transport layer 
ipsec?


thanks for the pointer ..

I'm amazed that no-one has an answer for this..



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message