Date: Tue, 13 Aug 2002 09:57:29 -0400 From: "Cambria, Mike" <mcambria@avaya.com> To: 'Julian Elischer' <julian@elischer.org>, "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: RE: Racoon question Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EC98@rerun.avayactc.com>
next in thread | raw e-mail | index | archive | help
> On Mon, 12 Aug 2002, Crist J. Clark wrote:
>
> > On Mon, Aug 12, 2002 at 03:48:56PM -0700, Julian Elischer wrote:
> >
> > Yeah, known issue which comes up from time to time. It is a common
> > headache in IPsec. 'Coulda sworn there was a sysctl(8) to
> change this
> > behavior, but I can't find it. Nor can I Google anything
> except other
> > {Free,Net,Open}BSD and Linux people complaining about the
> > problem. This IETF draft explains some of the issues,
> >
> >
http://search.ietf.org/internet-drafts/draft-spencer-ipsec-ike-implementatio
n-02.txt
>
> Maybe you can find some of the solutions that have been offered. It's
> been discussed on various lists (-net, -security, and -questions) many
> times.
>
> But just so you know,
>
> > It occured to me that this may be because the racoons need to talk
> > across the
> > transport connection that is toasted so it's a catch-22.
> >
> > I tried setting up port 500 as an excpetion using 'none'
> > in /etc/ipsec.conf but that seems to confuse things.. it seems unable to
> > decide for
> > any given connection whether
> > to use the [500] or [any]
> > sessions.
>
> This actually is not the problem. IKE/IPsec implementations have to be
> smart enough to handle the negotiations "OOB."
So how does racoon talk "OOB"? does it add it's own SA?
how does it stop it's own packets from being thrown away at the
far end when they are not encrypted correctly for the transport layer
ipsec?
The IKE connection between 2 endpoints (port 500 on both ends usually) does
_not_ get protected by a SA. So there should not be any racoon.conf nor
IPsec configuration for these ports. Regardless of tunnel mode or transport
mode, implementations need to "poke a hole" in the SPD so to speak to allow
for this (and possibly other, like DNS) traffic.
Just in case you still need it, here is syntax that works for me for
racoon.conf and setkey to setup specific ports/protocols.
racoon:
sainfo address 100.1.1./24 [23] tcp address 100.1.2.0/24 [any] tcp
{
}
setkey:
spdadd 10.1.1.0/24[23] 10.1.2.0/24[any] tcp -P in ipsec
esp/tunnel/10.1.1.1-10.1.2.1/require ;
MikeC
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6D367EA1EFD4118C9B00A0C9DD99D7E4EC98>