Subject: racoon broken by recent changes
To: None <>
From: Daniel Carosone <>
List: current-users
Date: 05/17/2005 20:46:17
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I know at least one other person is seeing something similar to this -
anyone else?

Since recent changes (in the past week or so) it seems racoon can no
longer negotiate with previous versions of itself.  No config has
changed, but one of the peers has been updated to -current (twice).

In the first incarnation, it would negotiate phase 1, and simply time
out phase 2, repeating forever.  After a second rebuild to -current
today, the behaviour has changed.. I now get a phase 2 negotiation
reported, and then the following:

/netbsd: key_update: no SA index found.
racoon: ERROR: pfkey UPDATE failed: No such file or directory

together with a repeated warning from the kernel about no key
association found for spi=3Dnnn on input from the remote host
(presumably the spi for the SA that racoon failed to update)

Is -current racoon working for anyone else, either with itself or with
older peers? =20

Looking at some more verbose debug suggests that racoon is calling
pfkey_send_update_nat and pfkey_send_add_nat just before the UPDATE
message with the failure.  If I add IPSEC_NAT_T support to the kernel,
it makes no difference.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (NetBSD)