Re: racoon behaviour when SA expires

2005-02-01 Thread Chris Cowen
Alex wrote: Hi Chris, SA in IPsec can expire really quick, it depends how often it is required for SPD key negotiation. Once SPD is established, the SA will be required only when a new tunnel key is needed. Try to put a really low delay on both SAD & SPD and turn racoon debug on to see why your

RE: dummynet and vr(4)/egress broken in 4.11 ?

2005-02-01 Thread Nickolay Kritsky
Are you using ipnat for NAT'ing? If yes, can you post your ipnat rules? Nick -Original Message- From: Jeremie Le Hen [mailto:[EMAIL PROTECTED] Sent: Sunday, January 30, 2005 5:40 PM To: freebsd-net@freebsd.org Subject: Re: dummynet and vr(4)/egress broken in 4.11 ? > I didn't changed my

Two NIC's connected to same subnet: routing question

2005-02-01 Thread Xin LI
Dear folks, I think I got confused with the routing problem we will have when at least two NIC's are connected into the same subnet. The scenario: em0: 192.168.0.1/24 em1: 192.168.0.2/24 We can't simply configure like this, since 192.168.0.0/24 network route exists as soon as either em0 or em1 i

RE: Two NIC's connected to same subnet: routing question

2005-02-01 Thread Henry Su
You can configure both NIC as /32. You also need proxy arp installed and listen on both NIC. Then the traffic should be able to follow between two NICs. Since Proxy ARP always answers its MAC to clients, so the clients can always send traffic to em1 or em0. Based on client's mac entry in the ARP ta

multihome routing help

2005-02-01 Thread Tom Farrell
BSD 5.0 3 Nic cards. Card 1 connects to DSL network and assigned route able IP from the ISP Card 2 connects to a private frame-relay network and is assigned 192.168.66.2/22 directly connected interface is 192.168.66.1/22 Card 3 connects lan is assigned 192.168.67.0/2

gigabit nic recommendations

2005-02-01 Thread Lister
What is a good Gb nic for these criterion : * FBSD 4.11 now, 5.X later * prefer 64 bit, 32 bit slots all full. Is there any other advantage to 64 bit? e.g. speed? system load? * I would like not to spend a king's ransom :) * RJ-45 (Cisco 29XX w/ RJ-45 GBIC) If it helps, this is the motherboard : ht

Re: racoon behaviour when SA expires

2005-02-01 Thread Crist J. Clark
On Tue, Feb 01, 2005 at 02:19:22PM +, Chris Cowen wrote: > Alex wrote: > >Hi Chris, > > > >SA in IPsec can expire really quick, it depends how often it is required > >for SPD key negotiation. Once SPD is established, the SA will be > >required only when a new tunnel key is needed. Try to put

NAT-T Implementation

2005-02-01 Thread Crist J. Clark
Now that NAT-T has moved on from Internet Draft to RFC, does anyone out there know if anyone is working on an implementation for FAST_IPSEC or KAME? I believe the isakmpd(8) daemon in ports supports it, but AFAIK, the kernel does not. Short of some really ugly divert(4) or netgraph(4) kludges (that