Subject: IPsec in -current, rsh and host lookups
To: None <>
From: Jan Schaumann <>
List: tech-net
Date: 07/11/2003 21:00:22
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all,

I've been using rsh and rlogin over ipsec for a while on 1.6.1.  Now I
upgraded the kernel to -current (kernel only, not userland), and ipsec
seems to behave weirdly:  it correctly encrypts the desired connections,
but when I try to rsh to the other host, it attempts to encrypt a
connection to the nameserver -> ?

The log shows that the connection is made successfully, and telnetting
to port 513 does look normal (ie I do get "Connected to <host>.
Escape character is '^]'."), but then the logs show

Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:798: initiate new phase 1
Jul 11 20:43:56 amstel racoon: INFO: isakmp.c:803: begin Aggressive
Jul 11 20:44:27 amstel racoon: ERROR: isakmp.c:1776: phase2 negotiation
failed due to time up waiting for phase1. ESP> =20
Jul 11 20:44:27 amstel racoon: INFO: isakmp.c:1781: delete phase 2
Jul 11 20:44:29 amstel /netbsd: IPv4 ESP input: no key association found
for spi 201407977

( is the nameserver provided in /etc/resolv.conf)

Why would it try to connect to the nameserver, and more importantly, why
would it try to use ipsec?  /etc/ipsec.conf tells it to only encrypt
traffic to/from ports 513/514.

TIA for all help,

A common mistake that people make when trying to design something completely
foolproof is to underestimate the ingenuity of complete fools.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (NetBSD)