:
:
:[EMAIL PROTECTED] (Matthew Dillon) writes:
:
:> The question is: What am I forgetting to do? Or is this a bug in our
:> IPSEC implementation?
:
:AFAIK this is more or less how it's supposed to work. IPsec is a
:mess. Security associations are not stateless, ESP provides replay
:protection using a sequence number. Replay-prevention is, however,
:optional, and the setkey manual page claims it to be off by default,
:so it could be a bug...you might want to try specifying -r 0
:explicitly.
IPSec isn't well documented, but once I figured out the config
file it didn't seem too bad. I am guessing that replay prevention
is turned on by default, but specifying '-f cyclic-seq' in the
setkey config file at the appropriate place appears to solve the
problem. I haven't tried testing with packet loss to see if it
can survive a noisy network.
I had to fix up /etc/rc.network a little to load the ipsec rules
at the appropriate point (just after the interface and ipfw setup,
but before any services (like NFS) are run). I am going to put the
(relatively simple) patch for rc.network up for a quick review and
then commit it along with an example file and a reference to the
example file in the man page.
-Matt
Matthew Dillon
<[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
