Re: [Ipsec-tools-devel] racoon+NAT-T and racoon+debug+IPv6 not so happy?

[Frank Kardel <kardel%netbsd.org@localhost>]

Hi,

when changing key_cmpsaidx_exactly to key_cmpsaidx_withmode in 
netkey/key.c:key_getsah()
negotiations work again. This change is inspired by the code found in 
netipsec/key.c where
key_getsah().

Caution: I have not deeply looked into the issue - thus this change be 
be completely wrong, but it gives
probably a hint at whats wrong.
My rules refer to any protocol - so exact comparisons for specific 
protocols probably don't match
in the key_cmpsaidx_exactly function.

Frank

S.P.Zeidler wrote:
> Hi,
>
> Thus wrote VANHULLEBUS Yvan (vanhu%free.fr@localhost):
>
>   
> > On Sun, Oct 26, 2008 at 12:31:21PM +0100, S.P.Zeidler wrote:
> >     
> > > before I unpack digging equipment:
> > >
> > > is it old news that racoon and a kernel with NAT-T [1] will result in a
> > > failure to do IPSEC because the pfkey update about NAT-T fails in phase 2
> > > and racoon decides to fail the entire connection?
> > >       
> > As asked by other people, what are the exact versions of racoon and
> > NetBSD you're running ?
> >     
>
> Amend that to (racoon and a kernel with NAT-T) (as of Oct 25th)
>
>   
> > If you're running NetBSD-current and racoon-HEAD (which is probably
> > the shipped version with NetBSD-current), yes, it may be a well known
> > problem in PFKey interface, I started to clean it but it will need
> > more works on both kernel and userland.
> >     
>
> Yes, a NetBSD-current will also have racoon-HEAD of the same date.
> Since someone's already working on it I'll be lazy and wait for nice
> things to come. ;-)
>
> regards,
>         spz
>