Subject: IPsec in -current, rsh and host lookups
To: None <tech-net@netbsd.org>
From: Jan Schaumann <jschauma@netbsd.org>
List: tech-net
Date: 07/11/2003 21:00:22
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi all,
I've been using rsh and rlogin over ipsec for a while on 1.6.1. Now I
upgraded the kernel to -current (kernel only, not userland), and ipsec
seems to behave weirdly: it correctly encrypts the desired connections,
but when I try to rsh to the other host, it attempts to encrypt a
connection to the nameserver -> ?
The log shows that the connection is made successfully, and telnetting
to port 513 does look normal (ie I do get "Connected to <host>.
Escape character is '^]'."), but then the logs show
Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:798: initiate new phase 1
negotiation: 155.246.89.68[500]<=3D>155.246.1.20[500]=20
Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:803: begin Aggressive
mode.=20
Jul 11 20:44:27 amstel racoon: ERROR: isakmp.c:1776: phase2 negotiation
failed due to time up waiting for phase1. ESP
155.246.1.20->155.246.89.68 =20
Jul 11 20:44:27 amstel racoon: INFO: isakmp.c:1781: delete phase 2
handler.=20
Jul 11 20:44:29 amstel /netbsd: IPv4 ESP input: no key association found
for spi 201407977
(155.246.1.20 is the nameserver provided in /etc/resolv.conf)
Why would it try to connect to the nameserver, and more importantly, why
would it try to use ipsec? /etc/ipsec.conf tells it to only encrypt
traffic to/from ports 513/514.
TIA for all help,
-Jan
--=20
A common mistake that people make when trying to design something completely
foolproof is to underestimate the ingenuity of complete fools.
--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)
iD8DBQE/D12mfFtkr68iakwRAoWaAJ4hRvr72yUW7rr4nxNljMIvTfzS2ACeNlGh
EBh9hpXYLaXv/4iipUZLOho=
=J4sR
-----END PGP SIGNATURE-----
--PEIAKu/WMn1b1Hv9--