From owner-freebsd-net@FreeBSD.ORG Sat Jun 5 06:29:01 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2FB716A4CE for ; Sat, 5 Jun 2004 06:29:01 -0700 (PDT) Received: from rackman.netvulture.com (adsl-63-197-17-60.dsl.snfc21.pacbell.net [63.197.17.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30C8043D46 for ; Sat, 5 Jun 2004 06:28:57 -0700 (PDT) (envelope-from vulture@netvulture.com) Received: from netvulture.com (bigv [192.168.2.130])i55DRnGV053303; Sat, 5 Jun 2004 06:27:50 -0700 (PDT) Message-ID: <40C1CAA1.5080000@netvulture.com> Date: Sat, 05 Jun 2004 06:29:05 -0700 From: Jonathan Feally User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Victor Gregorio References: <1086420241.652.41.camel@localhost> In-Reply-To: <1086420241.652.41.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Please contact your system administrator for more information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9, required 3, BAYES_00 -4.90) cc: freebsd-net@freebsd.org Subject: Re: IPSEC_ESP and if_tun failed X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jun 2004 13:29:01 -0000 Your problem lies in that vpnc is opening a raw socket to get it's ESP packets. However when you enable esp in the kernel, the kernel already is taking those packets, so you get the SOCK_RAW error as vpnc cannot get ESP packets because the kernel is handling them. I do not know if options FAST_IPSEC will solve your problem. Victor Gregorio wrote: >Hello. I originally posted this to freebsd-questions. I then learned >about this list and thought my topic was appropriate. > >I am running into a problem with using vpnc and isakmpd on the same >system (not at the same time) on a FreeBSD 5.2.1-RELEASE-p8 system. > >With IPSEC enabled in the kernel, vpnc worked fine. Then, I had to >include IPSEC_ESP so that isakmpd would work. Now, vpnc is broken. > >I compiled in IPSEC_DEBUG and did a $ sudo sysctl debug.if_tun_debug=1 >to get some verbose logging. This is what happens... > >- I start vpnc as root >- The client connects >- vpnc authenticates properly >- IP address is assigned to tun0 >- The IPSec connection breaks >- vpnc errors out with: socket(SOCK_RAW): Protocol not supported >- ifconfig still shows the device tun0 with the assigned IP > >/var/log/messages shows this: >kernel: tun0: open >kernel: module_register: module if_tun already exists! >kernel: Module if_tun failed to register: 17 >kernel: can't re-use a leaf (if_tun_debug)! >kernel: tun0: mtu set >kernel: tun0: tuninit >kernel: tun0: address set, error=0 >kernel: tun0: tunoutput >kernel: tun0: tunoutput >kernel: tun0: tuninit >kernel: tun0: address set, error=0 >kernel: tun0: closed >kernel: tun0: tunoutput >kernel: tun0: not ready 032 >kernel: tun0: tunoutput >kernel: tun0: not ready 032 > >I have been trying to turn off ESP support using sysctl. OpenBSD has an >OID called net.inet.esp.enable. This OID is not listed in sysctl -a. > >Any advice is appreciated. > >-Victor > > >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >