--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all,

I've been using rsh and rlogin over ipsec for a while on 1.6.1.  Now I
upgraded the kernel to -current (kernel only, not userland), and ipsec
seems to behave weirdly:  it correctly encrypts the desired connections,
but when I try to rsh to the other host, it attempts to encrypt a
connection to the nameserver -> ?

The log shows that the connection is made successfully, and telnetting
to port 513 does look normal (ie I do get "Connected to <host>.
Escape character is '^]'."), but then the logs show

Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:798: initiate new phase 1
negotiation: 155.246.89.68[500]<=3D>155.246.1.20[500]=20
Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:803: begin Aggressive
mode.=20
Jul 11 20:44:27 amstel racoon: ERROR: isakmp.c:1776: phase2 negotiation
failed due to time up waiting for phase1. ESP
155.246.1.20->155.246.89.68 =20
Jul 11 20:44:27 amstel racoon: INFO: isakmp.c:1781: delete phase 2
handler.=20
Jul 11 20:44:29 amstel /netbsd: IPv4 ESP input: no key association found
for spi 201407977

(155.246.1.20 is the nameserver provided in /etc/resolv.conf)

Why would it try to connect to the nameserver, and more importantly, why
would it try to use ipsec?  /etc/ipsec.conf tells it to only encrypt
traffic to/from ports 513/514.

TIA for all help,
-Jan

--=20
A common mistake that people make when trying to design something completely
foolproof is to underestimate the ingenuity of complete fools.

--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)

iD8DBQE/D12mfFtkr68iakwRAoWaAJ4hRvr72yUW7rr4nxNljMIvTfzS2ACeNlGh
EBh9hpXYLaXv/4iipUZLOho=
=J4sR
-----END PGP SIGNATURE-----

--PEIAKu/WMn1b1Hv9--