Discussion:
Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
(too old to reply)
VANHULLEBUS Yvan
2010-01-11 16:18:02 UTC
Permalink
Hi Yvan,
Hi.
referring to the discussion some time ago (racoon-current having
problems on NetBSD-5.0 branch-systems with and without NAT-T because
of Kernels unadjusted PFkey-interface [1]) we discovered a similar
problem using NetBSD-5.0 branch and its racoon-version when using
NAT-T.
According to your logs, you're using a 0.7.x version of ipsec-tools,
which should still use the "old" PFKey interface also used by NetBSD
(any version actually).

So I fear you found another issue which just looks like the known
PFKey issue !

Just to be sure: does the same exact configuration work with older
versions of NetBSD and/or ipsec-tools ?

[...]
Is it possible that all this problems exist because of the Kernels'
PFkey-interface not being adjusted to changes in racoon since
5.0-branch or even earlier?
Not afaik: such changes actually happened only in FreeBSD 8.0+ and
ipsec-tools HEAD (which will become 0.8 branch).


Yvan.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Daniel Zebralla \(A.P.E. IT-Security - Hard- & Software Development\)
2010-01-15 08:12:43 UTC
Permalink
Hi,
Post by VANHULLEBUS Yvan
According to your logs, you're using a 0.7.x version of ipsec-tools,
which should still use the "old" PFKey interface also used by NetBSD
(any version actually).
Correct. We tried this with the stock racoon (0.7.1nb1) that comes with the NetBSD 5.0-branch.
Post by VANHULLEBUS Yvan
Just to be sure: does the same exact configuration work with older
versions of NetBSD and/or ipsec-tools ?
Unfortunately, we didn't test it with something older than NetBSD 5.0-release / ipsec-tools 0.7.1nb1.

We only had this two cases so far:
NetBSD 5.0-release + ipsec-tools 0.7.1nb1 + NAT-T
(this topic, PR kern/42606)) -> some new error
NetBSD 5.0-release + ipsec-tools-HEAD (~December 09) + NO NAT-T
(topic [1], PR kern/42592) -> error likely because of PFkey-interface

Btw: I did test the NAT-T-functionality (direct connection, NAT-T forced) on two VMs with NetBSD 5.0.1-release and ipsec-tools 0.7.1nb1 (which is also stock in 5.0.1-release) which resulted in the same error as described in this topic. Without NAT-T, the tunnel came up well.

- Daniel

[1] http://mail-index.netbsd.org/tech-net/2009/12/18/msg001803.html

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...