Subject: Re: racoon broken by recent changes
To: Daniel Carosone <>
From: Marcin Jessa <>
List: current-users
Date: 05/17/2005 19:10:07
Fresh, updated source tree. 
Trying to run:
./ -U -x -D /usr/NetBSD-current distribution install=/

I get:

rm -f cftoken.c cfparse.c prsa_tok.c prsa_par.c cfparse.h prsa_par.h
rm -f a.out [Ee]rrs mklog core *.core .gdbinit racoon
rm: racoon: is a directory

*** Failed target:  cleanprog
*** Failed command: rm -f a.out [Ee]rrs mklog core *.core .gdbinit racoon
*** Error code 1

nbmake: stopped in /usr/src/usr.sbin/racoon

*** Failed target:  cleandir-racoon
*** Failed command: _makedirtarget() { dir="$1"; shift; target="$1"; shift; case "${dir}" in /*) this="${dir}/"; real="${dir}" ;; .) this="usr.sbin/"; real="/usr/src/usr.sbin" ;; *) this="usr.sbin/${dir}/"; real="/usr/src/usr.sbin/${dir}" ;; esac; show=${this:-.}; echo "${target} ===> ${show%/}${1:+ (with: $@)}"; cd "${real}" && /usr/src/obj/tooldir.NetBSD-3.99.3-i386/bin/nbmake _THISDIR_="${this}" "$@" ${target}; }; _makedirtarget racoon cleandir
*** Error code 1

On Tue, 17 May 2005 20:46:17 +1000
Daniel Carosone <> wrote:

> I know at least one other person is seeing something similar to this -
> anyone else?
> Since recent changes (in the past week or so) it seems racoon can no
> longer negotiate with previous versions of itself.  No config has
> changed, but one of the peers has been updated to -current (twice).
> In the first incarnation, it would negotiate phase 1, and simply time
> out phase 2, repeating forever.  After a second rebuild to -current
> today, the behaviour has changed.. I now get a phase 2 negotiation
> reported, and then the following:
> /netbsd: key_update: no SA index found.
> racoon: ERROR: pfkey UPDATE failed: No such file or directory
> together with a repeated warning from the kernel about no key
> association found for spi=nnn on input from the remote host
> (presumably the spi for the SA that racoon failed to update)
> Is -current racoon working for anyone else, either with itself or with
> older peers?  
> Looking at some more verbose debug suggests that racoon is calling
> pfkey_send_update_nat and pfkey_send_add_nat just before the UPDATE
> message with the failure.  If I add IPSEC_NAT_T support to the kernel,
> it makes no difference.
> --
> Dan.