Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled

["Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)" <D.Zebralla%ape-net.com@localhost>]

Hi,

> According to your logs, you're using a 0.7.x version of ipsec-tools,  
> which should still use the "old" PFKey interface also used by NetBSD  
> (any version actually).

Correct. We tried this with the stock racoon (0.7.1nb1) that comes with the 
NetBSD 5.0-branch.


> Just to be sure: does the same exact configuration work with older  
> versions of NetBSD and/or ipsec-tools ?

Unfortunately, we didn't test it with something older than NetBSD 5.0-release / 
ipsec-tools 0.7.1nb1.

We only had this two cases so far:
NetBSD 5.0-release + ipsec-tools 0.7.1nb1 + NAT-T 
(this topic, PR kern/42606)) -> some new error
NetBSD 5.0-release + ipsec-tools-HEAD (~December 09) + NO NAT-T 
(topic [1], PR kern/42592) -> error likely because of PFkey-interface

Btw: I did test the NAT-T-functionality (direct connection, NAT-T forced) on 
two VMs with NetBSD 5.0.1-release and ipsec-tools 0.7.1nb1 (which is also stock 
in 5.0.1-release) which resulted in the same error as described in this topic. 
Without NAT-T, the tunnel came up well.

     - Daniel

[1] http://mail-index.netbsd.org/tech-net/2009/12/18/msg001803.html