IPSEC_ESP and if_tun failed
Hello. I originally posted this to freebsd-questions. I then learned about this list and thought my topic was appropriate. I am running into a problem with using vpnc and isakmpd on the same system (not at the same time) on a FreeBSD 5.2.1-RELEASE-p8 system. With IPSEC enabled in the kernel, vpnc worked fine. Then, I had to include IPSEC_ESP so that isakmpd would work. Now, vpnc is broken. I compiled in IPSEC_DEBUG and did a $ sudo sysctl debug.if_tun_debug=1 to get some verbose logging. This is what happens... - I start vpnc as root - The client connects - vpnc authenticates properly - IP address is assigned to tun0 - The IPSec connection breaks - vpnc errors out with: socket(SOCK_RAW): Protocol not supported - ifconfig still shows the device tun0 with the assigned IP /var/log/messages shows this: kernel: tun0: open kernel: module_register: module if_tun already exists! kernel: Module if_tun failed to register: 17 kernel: can't re-use a leaf (if_tun_debug)! kernel: tun0: mtu set kernel: tun0: tuninit kernel: tun0: address set, error=0 kernel: tun0: tunoutput kernel: tun0: tunoutput kernel: tun0: tuninit kernel: tun0: address set, error=0 kernel: tun0: closed kernel: tun0: tunoutput kernel: tun0: not ready 032 kernel: tun0: tunoutput kernel: tun0: not ready 032 I have been trying to turn off ESP support using sysctl. OpenBSD has an OID called net.inet.esp.enable. This OID is not listed in sysctl -a. Any advice is appreciated. -Victor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Probelm setting socket options?
Hi guys!
I'm a quite newbe in sock API so please be patient :)
I've seen quite a lot of log entries in my smbd.log file like that:
Apr 29 00:42:09 host smbd[45372]: Failed to set socket option TCP_NODELAY
(Error Connection reset by peer)
I've tried to track it with truss (result below). My question is - does
the setsockopt() fails BECAUSE the socket is not connected anymore (client
closed it before setting the option) or the connection fails, and the
client disconnects BECAUSE TCP_NODELAY option couldn't have been set
properly ??? How to know that?
ajb
# truss -f -p PID
1654: fork()= 83030 (0x14456)
83030: close(18) = 0 (0x0)
83030: close(19) = 0 (0x0)
83030: close(0) = 0 (0x0)
83030: close(1) = 0 (0x0)
83030: open("/dev/null",0x2,00) = 0 (0x0)
83030: open("/dev/null",0x2,00) = 1 (0x1)
83030: setsockopt(0x17,0x,0x8,0xbfbfd99c,0x4) = 0 (0x0)
83030: setsockopt(0x17,0x6,0x1,0xbfbfd99c,0x4) ERR#54 'Connection reset
by peer'
83030: gettimeofday(0xbfbfc428,0x0) = 0 (0x0)
83030: getpid() = 83030 (0x14456)
83030: sendto(0x5,0xbfbfc8c0,0,0x0,NULL,0x0) = 106 (0x6a)
83030: geteuid() = 0 (0x0)
83030: fstat(22,0xbfbfd0a0) = 0 (0x0)
83030: getpeername(0x17,0xbfbfdaa0,0xbfbfda9c) ERR#57 'Socket is not
connected'
...
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPSEC_ESP and if_tun failed
Your problem lies in that vpnc is opening a raw socket to get it's ESP packets. However when you enable esp in the kernel, the kernel already is taking those packets, so you get the SOCK_RAW error as vpnc cannot get ESP packets because the kernel is handling them. I do not know if options FAST_IPSEC will solve your problem. Victor Gregorio wrote: Hello. I originally posted this to freebsd-questions. I then learned about this list and thought my topic was appropriate. I am running into a problem with using vpnc and isakmpd on the same system (not at the same time) on a FreeBSD 5.2.1-RELEASE-p8 system. With IPSEC enabled in the kernel, vpnc worked fine. Then, I had to include IPSEC_ESP so that isakmpd would work. Now, vpnc is broken. I compiled in IPSEC_DEBUG and did a $ sudo sysctl debug.if_tun_debug=1 to get some verbose logging. This is what happens... - I start vpnc as root - The client connects - vpnc authenticates properly - IP address is assigned to tun0 - The IPSec connection breaks - vpnc errors out with: socket(SOCK_RAW): Protocol not supported - ifconfig still shows the device tun0 with the assigned IP /var/log/messages shows this: kernel: tun0: open kernel: module_register: module if_tun already exists! kernel: Module if_tun failed to register: 17 kernel: can't re-use a leaf (if_tun_debug)! kernel: tun0: mtu set kernel: tun0: tuninit kernel: tun0: address set, error=0 kernel: tun0: tunoutput kernel: tun0: tunoutput kernel: tun0: tuninit kernel: tun0: address set, error=0 kernel: tun0: closed kernel: tun0: tunoutput kernel: tun0: not ready 032 kernel: tun0: tunoutput kernel: tun0: not ready 032 I have been trying to turn off ESP support using sysctl. OpenBSD has an OID called net.inet.esp.enable. This OID is not listed in sysctl -a. Any advice is appreciated. -Victor ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPSEC_ESP and if_tun failed
On Sat, 5 Jun 2004, Jonathan Feally wrote: > Your problem lies in that vpnc is opening a raw socket to get it's ESP > packets. However when you enable esp in the kernel, the kernel already > is taking those packets, so you get the SOCK_RAW error as vpnc cannot > get ESP packets because the kernel is handling them. > I do not know if options FAST_IPSEC will solve your problem. won't -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
