[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
referring to the discussion some time ago (racoon-current having problems on
NetBSD-5.0 branch-systems with and without NAT-T because of Kernels unadjusted
PFkey-interface ) we discovered a similar problem using NetBSD-5.0 branch
and its racoon-version when using NAT-T.
We tried to establish an IPsec-connection in tunnel-mode using NAT-T and
aggressive-mode on two NetBSD-5.0 branch-systems using the stock netbsd-5
racoon. We tried two different scenarios.
NetBSD-5.0-GWs directly connected via cross-link-cable, NAT-T forced on in both
racoons (option "nat_traversal force;")
NAT-Gateway in between doing source-NAT on initiators' IP, NAT-T set to on in
both racoons (option "nat_traversal on;")
Both scenarios result in unusable tunnels. When pings are sent from initiators
LAN to responders LAN, Phase1 (ISAKMP) is completed successfully between the
two GWs, but Phase2 (IPsec) is "looping". This means that after a timeout, a
(additional) pair of Phase2-SAs is generated.
For our racoon.conf- and ipsec.conf-files as well as some debug-output for both
scenarios please refer to .
We opened a PR regarding this issue (kern/42606).
Is it possible that all this problems exist because of the Kernels'
PFkey-interface not being adjusted to changes in racoon since 5.0-branch or
Hard- & Software Development
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
A.P.E. GmbH IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner
Main Index |
Thread Index |