Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled

To: "Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)" <D.Zebralla%ape-net.com@localhost>
Subject: Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
From: VANHULLEBUS Yvan <vanhu%NetBSD.org@localhost>
Date: Mon, 11 Jan 2010 17:18:02 +0100

On Mon, Jan 11, 2010 at 04:40:42PM +0100, Daniel Zebralla (A.P.E. IT-Security - 
Hard- & Software Development) wrote:
> Hi Yvan,

Hi.

> referring to the discussion some time ago (racoon-current having
> problems on NetBSD-5.0 branch-systems with and without NAT-T because
> of Kernels unadjusted PFkey-interface [1]) we discovered a similar
> problem using NetBSD-5.0 branch and its racoon-version when using
> NAT-T. 

According to your logs, you're using a 0.7.x version of ipsec-tools,
which should still use the "old" PFKey interface also used by NetBSD
(any version actually).

So I fear you found another issue which just looks like the known
PFKey issue !

Just to be sure: does the same exact configuration work with older
versions of NetBSD and/or ipsec-tools ?

[...]
> Is it possible that all this problems exist because of the Kernels'
> PFkey-interface not being adjusted to changes in racoon since
> 5.0-branch or even earlier? 

Not afaik: such changes actually happened only in FreeBSD 8.0+ and
ipsec-tools HEAD (which will become 0.8 branch).

Yvan.

Follow-Ups:
- Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
  - From: Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)

References:
- Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
  - From: Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)

Prev by Date: Re: tftp protocol
Next by Date: Re: tftp protocol
Previous by Thread: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
Next by Thread: Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
Indexes:

Home | Main Index | Thread Index | Old Index