Subject: IPsec in -current, rsh and host lookups
To: None <firstname.lastname@example.org>
From: Jan Schaumann <email@example.com>
Date: 07/11/2003 21:00:22
Content-Type: text/plain; charset=us-ascii
I've been using rsh and rlogin over ipsec for a while on 1.6.1. Now I
upgraded the kernel to -current (kernel only, not userland), and ipsec
seems to behave weirdly: it correctly encrypts the desired connections,
but when I try to rsh to the other host, it attempts to encrypt a
connection to the nameserver -> ?
The log shows that the connection is made successfully, and telnetting
to port 513 does look normal (ie I do get "Connected to <host>.
Escape character is '^]'."), but then the logs show
Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:798: initiate new phase 1
Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:803: begin Aggressive
Jul 11 20:44:27 amstel racoon: ERROR: isakmp.c:1776: phase2 negotiation
failed due to time up waiting for phase1. ESP
Jul 11 20:44:27 amstel racoon: INFO: isakmp.c:1781: delete phase 2
Jul 11 20:44:29 amstel /netbsd: IPv4 ESP input: no key association found
for spi 201407977
(126.96.36.199 is the nameserver provided in /etc/resolv.conf)
Why would it try to connect to the nameserver, and more importantly, why
would it try to use ipsec? /etc/ipsec.conf tells it to only encrypt
traffic to/from ports 513/514.
TIA for all help,
A common mistake that people make when trying to design something completely
foolproof is to underestimate the ingenuity of complete fools.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)
-----END PGP SIGNATURE-----