Date: Tue, 30 Mar 2004 22:03:07 +0900 From: Hajimu UMEMOTO <ume@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: Cyrill =?ISO-8859-1?Q?R=FCttimann?= <ruettimac@mac.com> Subject: Re: IPSec troubles Message-ID: <yge8yhipjw4.wl%ume@FreeBSD.org> In-Reply-To: <Pine.BSF.4.53.0403301225030.714@e0-0.zab2.int.zabbadoz.net> References: <257C203C-8104-11D8-9902-00039303AB38@mac.com> <Pine.BSF.4.53.0403301115370.714@e0-0.zab2.int.zabbadoz.net> <87BC9FE1-8241-11D8-9782-00039303AB38@mac.com> <Pine.BSF.4.53.0403301225030.714@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
>>>>> On Tue, 30 Mar 2004 12:33:08 +0000 (UTC)
>>>>> "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> said:
bzeeb> What I had to do had been "excluding IKE traffic" by doing s.th.
bzeeb> like this (router side config):
bzeeb> spdadd ROUTER[500] NOTEBOOK[500] udp
bzeeb> -P out none ;
bzeeb> spdadd NOTEBOOK[500] ROUTER[500] udp
bzeeb> -P in none ;
bzeeb> This for sure is not the most nifty way to do but it works.
The per socket security policy is broken under 5.2.1-RELEASE, and it
was fixed in 5-CURRENT. Racoon uses it to exclude IKE packets from
target of IPsec. So, the bzeeb's way should work for workaround.
Sincerely,
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yge8yhipjw4.wl%ume>