Subject: Re: bin/30437 recent NATT changes breaks racoon
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: netbsd-bugs
Date: 09/02/2005 15:51:03
The following reply was made to PR bin/30437; it has been noted by GNATS.
From: Emmanuel Dreyfus <manu@netbsd.org>
To: Jeff Ito <jeffi@rcn.com>
Cc: gnats-bugs@netbsd.org, spz@serpens.de
Subject: Re: bin/30437 recent NATT changes breaks racoon
Date: Fri, 2 Sep 2005 15:50:59 +0000
On Fri, Sep 02, 2005 at 11:44:53AM -0400, Jeff Ito wrote:
> On two -current machines with a non- NAT-T kernel and ipsec-tools
> 0.6.1 I still run into errors. I believe that this may be due to
> the fact that ipsec-tools still has nat-t support built in. Perhaps
> this is user error, or some piece of documentation I missed?
ipsec-tools should be able to work with NAT-T enabled on a non NAT-T
kernel. If it does not it's a bug.
Awaiting for a fix, we might be able to find a workaround. Try this SPD:
spdadd 10.1.1.4/32 10.1.1.5/32 any
-P in ipsec esp/transport/10.1.1.4[0]-10.1.1.5[0]/require;
spdadd 10.1.1.5/32 10.1.1.4/32 any
-P out ipsec esp/transport/10.1.1.5[0]-10.1.1.4[0]/require;
And if it fails, that one:
spdadd 10.1.1.4/32 10.1.1.5/32 any
-P in ipsec esp/transport/10.1.1.4[500]-10.1.1.5[500]/require;
spdadd 10.1.1.5/32 10.1.1.4/32 any
-P out ipsec esp/transport/10.1.1.5[500]-10.1.1.4[500]/require;
That might help.
NB: I'll be AFK until next friday.
--
Emmanuel Dreyfus
manu@netbsd.org