Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?


when changing key_cmpsaidx_exactly to key_cmpsaidx_withmode in netkey/key.c:key_getsah() negotiations work again. This change is inspired by the code found in netipsec/key.c where

Caution: I have not deeply looked into the issue - thus this change be be completely wrong, but it gives
probably a hint at whats wrong.
My rules refer to any protocol - so exact comparisons for specific protocols probably don't match
in the key_cmpsaidx_exactly function.


S.P.Zeidler wrote:

Thus wrote VANHULLEBUS Yvan (

On Sun, Oct 26, 2008 at 12:31:21PM +0100, S.P.Zeidler wrote:
before I unpack digging equipment:

is it old news that racoon and a kernel with NAT-T [1] will result in a
failure to do IPSEC because the pfkey update about NAT-T fails in phase 2
and racoon decides to fail the entire connection?
As asked by other people, what are the exact versions of racoon and
NetBSD you're running ?

Amend that to (racoon and a kernel with NAT-T) (as of Oct 25th)

If you're running NetBSD-current and racoon-HEAD (which is probably
the shipped version with NetBSD-current), yes, it may be a well known
problem in PFKey interface, I started to clean it but it will need
more works on both kernel and userland.

Yes, a NetBSD-current will also have racoon-HEAD of the same date.
Since someone's already working on it I'll be lazy and wait for nice
things to come. ;-)


Home | Main Index | Thread Index | Old Index