Subject: Re: bin/30437 recent NATT changes breaks racoon
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: netbsd-bugs
Date: 09/02/2005 15:51:03
The following reply was made to PR bin/30437; it has been noted by GNATS.

From: Emmanuel Dreyfus <manu@netbsd.org>
To: Jeff Ito <jeffi@rcn.com>
Cc: gnats-bugs@netbsd.org, spz@serpens.de
Subject: Re: bin/30437 recent NATT changes breaks racoon
Date: Fri, 2 Sep 2005 15:50:59 +0000

 On Fri, Sep 02, 2005 at 11:44:53AM -0400, Jeff Ito wrote:
 > On two -current machines with a non- NAT-T kernel and ipsec-tools
 > 0.6.1 I still run into errors.  I believe that this may be due to
 > the fact that ipsec-tools still has nat-t support built in.  Perhaps
 > this is user error, or some piece of documentation I missed?
 
 ipsec-tools should be able to work with NAT-T enabled on a non NAT-T 
 kernel. If it does not it's a bug.
 
 Awaiting for a fix, we might be able to find a workaround. Try this SPD:
 spdadd 10.1.1.4/32 10.1.1.5/32 any 
     -P in ipsec esp/transport/10.1.1.4[0]-10.1.1.5[0]/require;
 spdadd 10.1.1.5/32 10.1.1.4/32 any 
     -P out ipsec esp/transport/10.1.1.5[0]-10.1.1.4[0]/require;
 
 And if it fails, that one:
 spdadd 10.1.1.4/32 10.1.1.5/32 any 
     -P in ipsec esp/transport/10.1.1.4[500]-10.1.1.5[500]/require;
 spdadd 10.1.1.5/32 10.1.1.4/32 any 
     -P out ipsec esp/transport/10.1.1.5[500]-10.1.1.4[500]/require;
 
 That might help. 
 
 NB: I'll be AFK until next friday.
 
 
 -- 
 Emmanuel Dreyfus
 manu@netbsd.org