From: Greg Troxel:
> I'm having problems with racoon on current, and am confused about how
> we're dealing with the ipsec-tools code and its current state.  The
> entry in src/doc/3RDPARTY seems out of date.  I'd like to see
> src/crypto/dist/ipsec-tools/README.CVS or something similar to explain
> the plan.
> 

Sorry for the delayed response. I will talk to Manu about the out of 
date document.

> My problem: on -current (i386), racoon fails to start complaining that
> it doesn't have any addresses.  If I add a listen-address directive, it
> works fine.  I have never before needed a listen-address directive in
> all my years of running racoon.  This is awkward on a machine that
> changes addresses.

Could you send me the exact error string being produced. It will help me 
to track it down in the source code.

> 
> On netbsd-4, racoon works as it has.
> 

Unfortunately, I don't have a -current machine to test this with right 
now. I do have a netbsd-4 machine and can confirm that it works without 
the listen statements present in the racoon.conf file. There should be 
very little difference between the ipsec-tools cvs branch and the *very* 
soon to be released ipsec-tools 0.7 branch. My understanding is that 0.7 
will be shipped with netbsd-4.

> I went to src/crypto/dist/ipsec-tools, and it seems that for live
> branches relevant to this discussion there is (version #s from README to
> show structure)
> 
> HEAD: 1.1
> ipsec-tools-0_7-branch: 1.1.1.2.0.8
> netbsd-4: 1.1.1.2.0.4
> 
> So, I'm unclear on what the head of ipsec-tools the project is,
> separately from the part of ipsec-tools that's been merged to -current.
> 

Please see my last comment.

> 
> seems to mostly consist of PATH_IPSEC_H cleanups, plus some 0/NULL/!=
> NULL cleanups, a few apparent bugfixes, and some pam changes.
> 

I believe these changes were added to support the FreeBSD 7 gnn fast 
ipsec promotion.

> Plus this in session.c:
> 
> 
>                 if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, 
> &rfds)) {
>                         if (update_myaddrs() && lcconf->autograbaddr)
> -                               sched_new(5, check_rtsock, NULL);
> -                       initfds();
> +                               check_rtsock(NULL);
> +                       else
> +                               initfds();
>                 }
>         }
>  }
> 
> which seems like it could possibly be the cause of my problem.
> 

This appears to be related to catching dynamic address updates, but I 
would need to take a closer look. Probably not the cause of your issue. 
Yvan, Manu or myself will need to dig a bit to see what the cause of 
your problem is. It may be a new 'feature' that I had yet to take note 
of. The top priority right now is to get 0.7 out the door and then we 
will refocus on ipsec-tools head ( in netbsd-current ).

> So it seems that current has a few of the changes from the 0_7 branch,
> but is still pretty far from 0_7.
> 
> Is there a ipsec-tools-head sort of branch, or is the 0_7 branch the
> effective head of ipsec-tools work?

Manu responded to this question on another list, so I will just 
reproduce the answer here so it available to everyone.

NetBSD's HEAD (aka NetBSD-current) and ipsec-tools's HEAD are actually
just the same thing. Ipsec-tools development takes place within the
NetBSD tree, in src/crypto/dist/ipsec-tools.

Thanks,

-Matthew