netbsd-users: Re: IPSEC (sometimes) not tunneling tcp SYN-ACKs

Subject: Re: IPSEC (sometimes) not tunneling tcp SYN-ACKs
To: Markus W Kilbinger <kilbi@rad.rwth-aachen.de>
From: Christoph Kaegi <kgc@zhwin.ch>
List: netbsd-users
Date: 06/04/2003 15:54:49

On 2003.06.04 10:43, Markus W Kilbinger wrote:
> 
>     Christoph> ipsec.conf looks like this:
> 
>     Christoph> machine1:
>     Christoph> -------------------------------------- 8< --------------------------------------
>     Christoph> # Add SP entries:
>     Christoph> spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;
>     Christoph> spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
> 
> Hmm, you specified 'spdadd [...] /tunnel/' whereas the tunnel entry
> points and the encryption related ip range are the same. -> Did you
> try 'spdadd ... /transport/' instead?
> 

Thanks for this hint. I tried using transport, but
the effects are still the same.

After a certain amount of time, the ipsec stack on the
other side doesn't seem to recognise the syn-ack packet
and the kernel tries to send it unencrypted, which gets
blocked.

Chris

-- 
----------------------------------------------------------------------
Christoph Kaegi                                           kgc@zhwin.ch
----------------------------------------------------------------------