I read the flying racoons articles with great interest and I’ve been trying to test them out myself. I’ve got a pair of Macs running 10.2.1, and have just tried to set up a simple transport connection between them with this sort of setup:
spdadd 10.10.50.129/32 10.10.50.186/32 any -P out ipsec esp/transport/10.10.50.129-10.10.50.186/require;
spdadd 10.10.50.186/32 10.10.50.129/32 any -P in ipsec esp/transport/10.10.50.186-10.10.50.129/require;
I’ve also got the racoons up and running on both machines.
When I try to connect from one to the other, after running the setkey commands above, I can’t get any packets to go out on the wire (watching with tcpdump). I can’t even ping the other machine (if I run ‘setkey -FP’ everything goes back to normal and I can ping again). I noticed in ‘netstat -s’ the following that seems to shed some light:
ipsec:
0 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
0 outbound packets processed successfully
0 outbound packets violated process security policy
[color=red:332b9dc311]576 outbound packets with no SA available[/color:332b9dc311]
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
Anyone know what that might mean, and what is causing it?
I’ve now figured out (partly) what was causing the problem. Something in Classic had grabbed port 500, stopping the racoon process from working properly. I found out by running racoon in debug mode:
racoon -f /etc/racoon/racoon.conf -d -d -d -F -v
Once I shut down Classic I could connect between my two Macs no problem.
So far I haven’t been able to figure out what it is in Classic that is using port 500 though. 🙁
Figured out what it was in Classic that was causing the problem – the PGPNet extension! (pretty obvious really but I’d forgotten I had tested it out about a year ago). Thanks for the articles and the help!
Comments are closed