Subject: Re: bin/30437 recent NATT changes breaks racoon
To: None <,>
From: Emmanuel Dreyfus <>
List: netbsd-bugs
Date: 09/02/2005 15:51:03
The following reply was made to PR bin/30437; it has been noted by GNATS.

From: Emmanuel Dreyfus <>
To: Jeff Ito <>
Subject: Re: bin/30437 recent NATT changes breaks racoon
Date: Fri, 2 Sep 2005 15:50:59 +0000

 On Fri, Sep 02, 2005 at 11:44:53AM -0400, Jeff Ito wrote:
 > On two -current machines with a non- NAT-T kernel and ipsec-tools
 > 0.6.1 I still run into errors.  I believe that this may be due to
 > the fact that ipsec-tools still has nat-t support built in.  Perhaps
 > this is user error, or some piece of documentation I missed?
 ipsec-tools should be able to work with NAT-T enabled on a non NAT-T 
 kernel. If it does not it's a bug.
 Awaiting for a fix, we might be able to find a workaround. Try this SPD:
 spdadd any 
     -P in ipsec esp/transport/[0]-[0]/require;
 spdadd any 
     -P out ipsec esp/transport/[0]-[0]/require;
 And if it fails, that one:
 spdadd any 
     -P in ipsec esp/transport/[500]-[500]/require;
 spdadd any 
     -P out ipsec esp/transport/[500]-[500]/require;
 That might help. 
 NB: I'll be AFK until next friday.
 Emmanuel Dreyfus