[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Racoon: status for kFreeBSD. (Bug #613726)

(This was intended to be forwarded to debian-bsd!  MEA)

package racoon
tags 613726 + ipv6
thanks

A status report on actually running Racoon with GNU/kFreeBSD.

The use of IPv4 seems to work fairly well, but IPv6 is posing
strange restrictions. In the reference below I use these as
working references:

   GNU/kFreeBSD to GNU/Linux:

      IPv4 with "esp/transport//require ah/transport/require;"
      at the kFreeBSD end.

   GNU/kFreeBSD to OpenBSD:

      IPv4 with "esp/tunnel/addr1-addr2/require;" at kFreeBSD end.

Both are working impeccably.

Switching to IPv6 most outcomes are of this kind:

    GNU/kFreeBSD to GNU/Linux:  (the following policy in kFreeBSD)

        esp/tunnel/addr1-addr2/use;

        esp/transport//use;

        ah/tunnel/addr1-addr2/use;

        ah/transport//use;

    GNU/kFreeBSD to OpenBSD:

        esp/tunnel/addr1-addr2/use;

All are in working order. Notice the policy type "use". Changing to "require"
makes GNU/kFreeBSD fail. The negotiation is never completed. However, the
corresponding case for IPv4 is functional with "require".

It is my hope that someone with longer experience in debugging IPsec connections
will discover the probable cause of the differences IPv4 versus IPv6.

As a side note, let me note that a patch I have developed for Ngrep, and have
made public in #615231, enables the inspection into the payload of AH and the
detection of ESP packet. This simplifies the checking of standing connections.

Best regards,
  Mats Erik Andersson, DM
Reply to: