From: Brian A. S. <lav...@sp...> - 2007-06-06 04:17:32
|
Guys: I really don't know what's up with this code. I decided to recompile racoon(8) w/o NAT-T. I have support patched into my RELENG_6 kernel sources. Most of my clients are behind generic residential class stateful NAT routers/firewalls. I've confirmed with two OS/X clients and two WinXP clients that they can connect w/o NAT-T Tunneling. It was my understanding that both ends needed to be aware of NAT-T, and the intermediary router as well (semi-stateful UDP) Deletion and re-Creation of tunnels works fine. Disconnecting clients leave stale SPD/SAD entries still, but upon reconnect they seem tobe properly overwritten. Perhaps this is platform specific. Aer any of the primary developers on FBSD? ~BAS On Tue, 5 Jun 2007, Brian A. Seklecki wrote: > > When i break out of a foreground racoon(8), I get several of these: > > 020f1600 0e000000 00000000 e26a0000 03000500 ff200000 10020000 8190000a > 00000000 00000000 03000600 ff000000 10020000 00000000 00000000 00000000 > 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > 02001200 020001cd 00000000 cdcdcdcd > 2007-06-05 23:59:37: ERROR: pfkey X_SPDDELETE failed: Invalid argument > > As I understand it, X_SPDDELETE is a sysctl in src/sys/netkey/key.c and > src/sys/netipsec/key.c. > > > > ~BAS > > > On Tue, 5 Jun 2007, Brian A. Seklecki wrote: > >> >> >> Here is my (semi) working cisco vpn config: >> >> ---------------------------------------------------------- >> >> path include "/etc/racoon" ; >> path pre_shared_key "/etc/racoon/psk.txt" ; >> path script "/etc/racoon" ; >> >> log info; >> >> remote anonymous { >> exchange_mode aggressive; >> doi ipsec_doi; >> nonce_size 16; >> lifetime time 1440 min; # sec,min,hour >> initial_contact off; >> >> proposal_check obey; # obey, strict or claim >> >> my_identifier fqdn "headend"; >> verify_identifier off; >> >> support_proxy off; >> ike_frag on; >> >> mode_cfg on; >> weak_phase1_check on; >> #script "phase1_up.sh" phase1_up; >> #script "phase1_down.sh" phase1_down; >> generate_policy on; >> passive on; >> nat_traversal on; >> >> #### Roadwarriors >> proposal { >> encryption_algorithm 3des; >> hash_algorithm sha1; >> authentication_method xauth_psk_server; >> #dh_group modp1023; >> dh_group 2; >> } >> } >> >> sainfo anonymous { >> encryption_algorithm 3des; >> authentication_algorithm hmac_sha1; >> compression_algorithm deflate; >> lifetime time 3600 sec; >> pfs_group 2; >> } >> >> mode_cfg { >> auth_source system; >> auth_groups "ipsec"; >> group_source system; >> conf_source local; >> pool_size 15; >> network4 129.144.0.10; >> netmask4 255.255.255.255; >> dns4 192.168.4.55; >> wins4 192.168.4.55; >> split_network include 192.168.3.0/24, 129.144.0.0/12; >> default_domain "tellmeaboutyourhate.com"; >> split_dns "tellmeaboutyourhate.com"; >> } >> >> >> ---------------------------------------------------------- >> >> I'm running -rHEAD src from NetBSD CVS on FreeBSD. >> >> I'm half-tempted to install Fedora and try again. >> >> >> ~BAS >> >> On Tue, 5 Jun 2007, Brian A. Seklecki wrote: >> >>> >>> I have the experimental code in HEAD working; partially. There are >>> issues deleting SPD/SAD entries when clients disconnect. I may play with >>> that more tonight. >>> >>> FreeBSD 6.2/i386. >>> >>> ~BAS >>> >>> On Tue, 5 Jun 2007, spo...@sm... wrote: >>> >>>> Hi, >>>> >>>> is there anybody who has got a working configuration using the racoon >>>> split_network option in combination with the Cisco VPN Client? >>>> >>>> The full-tunnel mode works fine with the CiscoVPN Client, but the split_network >>>> option doesn't work. The client connects fine and recives the given network >>>> options. But it seems the Client doesn't send any packages through the tunnel. >>>> >>>> Regards, >>>> >>>> Sebastian >>>> >>>> >>>> ------------------------------------------------------------------------- >>>> This SF.net email is sponsored by DB2 Express >>>> Download DB2 Express C - the FREE version of DB2 express and take >>>> control of your XML. No limits. Just data. Click to get it now. >>>> http://sourceforge.net/powerbar/db2/ >>>> _______________________________________________ >>>> Ipsec-tools-devel mailing list >>>> Ips...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >>>> >>> >>> l8* >>> -lava (Brian A. Seklecki - Pittsburgh, PA, USA) >>> http://www.spiritual-machines.org/ >>> >>> "Guilty? Yeah. But he knows it. I mean, you're guilty. >>> You just don't know it. So who's really in jail?" >>> ~James Maynard Keenan >>> >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by DB2 Express >>> Download DB2 Express C - the FREE version of DB2 express and take >>> control of your XML. No limits. Just data. Click to get it now. >>> http://sourceforge.net/powerbar/db2/ >>> _______________________________________________ >>> Ipsec-tools-devel mailing list >>> Ips...@li... >>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >>> >> >> l8* >> -lava (Brian A. Seklecki - Pittsburgh, PA, USA) >> http://www.spiritual-machines.org/ >> >> "Guilty? Yeah. But he knows it. I mean, you're guilty. >> You just don't know it. So who's really in jail?" >> ~James Maynard Keenan >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> Ipsec-tools-devel mailing list >> Ips...@li... >> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >> > > l8* > -lava (Brian A. Seklecki - Pittsburgh, PA, USA) > http://www.spiritual-machines.org/ > > "Guilty? Yeah. But he knows it. I mean, you're guilty. > You just don't know it. So who's really in jail?" > ~James Maynard Keenan > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~James Maynard Keenan |