Date: Mon, 12 Aug 2002 22:42:42 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Julian Elischer <julian@vicor.com>, net@FreeBSD.ORG Subject: Re: Racoon question Message-ID: <Pine.BSF.4.21.0208122240080.13960-100000@InterJet.elischer.org> In-Reply-To: <20020813052619.GD1675@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Aug 2002, Crist J. Clark wrote:
> On Mon, Aug 12, 2002 at 03:48:56PM -0700, Julian Elischer wrote:
>
> Yeah, known issue which comes up from time to time. It is a common
> headache in IPsec. 'Coulda sworn there was a sysctl(8) to change this
> behavior, but I can't find it. Nor can I Google anything except other
> {Free,Net,Open}BSD and Linux people complaining about the
> problem. This IETF draft explains some of the issues,
>
> http://search.ietf.org/internet-drafts/draft-spencer-ipsec-ike-implementation-02.txt
>
> Maybe you can find some of the solutions that have been offered. It's
> been discussed on various lists (-net, -security, and -questions) many
> times.
>
> But just so you know,
>
> > It occured to me that this may be because the racoons need to talk
> > across the
> > transport connection that is toasted so it's a catch-22.
> >
> > I tried setting up port 500 as an excpetion using 'none'
> > in /etc/ipsec.conf but that seems to confuse things.. it seems unable to
> > decide for
> > any given connection whether
> > to use the [500] or [any]
> > sessions.
>
> This actually is not the problem. IKE/IPsec implementations have to be
> smart enough to handle the negotiations "OOB."
So how does racoon talk "OOB"? does it add it's own SA?
how does it stop it's own packets from being thrown away at the
far end when they are not encrypted correctly for the transport layer
ipsec?
thanks for the pointer ..
I'm amazed that no-one has an answer for this..
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0208122240080.13960-100000>