Subject: Re: w2k vs opencrypto
To: Love <lha@stacken.kth.se>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 12/14/2003 12:49:27
On Sun, Dec 14, 2003 at 06:22:31PM +0100, Love wrote:
>
> Hi
>
> I just turned off opencrypto and suddenly all my problems I've had talking
> to my w2k test machine with rdesktop just vanished.
>
> w2k sp4, racoon + kame ipsec, all fine
> w2k sp4, racoon + opencrypto ipsec, looses when the SA expire.
>
> Doing "setkey -F ; ping -c 1 w2k-machine" seems to make it recover
> (sometimes)
Do you mean "opencrypto" or "fast IPsec"? It's possible that either:
* the opencrypto userland interface is hosed, such that openssl is losing
somehow (but this seems unlikely unless you have hardware accelleration)
* somehow racoon and fast_ipsec have their knickers in a twist about what
to do on/with the PF_KEY socket when an SA expires. That wouldn't
surprise me _too_ much; I've seen this happen even with certain versions
of racoon and certain versions of the KAME kernel code (it happens on
MacOS X *all the time*).
Maybe you could test with isakmpd?
Thor