freebsd stable - Jul 2007 - ports/security/vpnc vs built-in IPSec?

Hi there,

I used ports/security/vpnc with some success some time ago, but
then stopped because I didn't need it.  Since then I've
upgraded my -STABLE many times, and portupgrade has upgraded
vpnc at least once, and now it doesn't seem to work anymore.
I've been poking it quite vigerously, this afternoon, without
much success: I can start it from the command line, with
debugging turned on and no-disconnect from the control terminal,
and can see from the debug trace that connection, authentication and
network route setup all seem perfect.  Just no packets ever seem
to get through the tun0 link.

Now, I remember from long ago that vpnc does not like IPSec in
the kernel, because (from memory) the kernel gets to the esp
packets before vpnc (which handles them in user-space), and the
wrong thing happens.  The difference, now, seems to be that
there is no longer a config option to disable IPSEC.  Or is
there?

Is there any way to disable kernel IPSEC in 6-STABLE?

There doesn't seem to be anything in kldstat to indicate that
any ipsec foo has been dynamically loaded.  Indeed, there
doesn't seem to be anything in sysctl -a relating to ipsec
either: does that mean that it somehow *is* disabled?

Any other thoughts on how to improve my situation?

Cheers,

-- 
Andrew

Andrew Reilly wrote:
> Hi there,
> 
> I used ports/security/vpnc with some success some time ago, but
> then stopped because I didn't need it.  Since then I've
> upgraded my -STABLE many times, and portupgrade has upgraded
> vpnc at least once, and now it doesn't seem to work anymore.
> I've been poking it quite vigerously, this afternoon, without
> much success: I can start it from the command line, with
> debugging turned on and no-disconnect from the control terminal,
> and can see from the debug trace that connection, authentication and
> network route setup all seem perfect.  Just no packets ever seem
> to get through the tun0 link.
> 
I'm running -CURRENT so the situation isnt identical but vpnc works fine
here. this is though NAT with  vpnc-0.4.0_1

{root@prawn}#vpnc
add host 80.169.168.42: gateway 192.168.10.2
add net 10.49.11.0: gateway 10.100.223.50
add net 10.44.19.0: gateway 10.100.223.50
VPNC started in background (pid: 24376)...
[~](14:19:30)
{root@prawn}#!ftp
-su: !ftp: event not found
[~](14:19:32)
{root@prawn}#ftp 10.49.11.252
Connected to 10.49.11.252.
220 Access to this system is restricted to authorised users only. If you
are not authorised please disconnect now. All transfers are logged.
Name (10.49.11.252:jhary): ^C

[~](14:20:07)
{root@prawn}#vpnc-disconnect
Terminating vpnc daemon (pid: 24376)


> Now, I remember from long ago that vpnc does not like IPSec in
> the kernel, because (from memory) the kernel gets to the esp
> packets before vpnc (which handles them in user-space), and the
> wrong thing happens.  The difference, now, seems to be that
> there is no longer a config option to disable IPSEC.  Or is
> there?
> 
> Is there any way to disable kernel IPSEC in 6-STABLE?
> 
Its not enabled in GENERIC, so you wont have IPSEC Unless you have built
a custom kernel.

Cant offer much beyond that though I'm afraid. Has it setup the routing
correctly?

sorry i cant help more,
Vince

> There doesn't seem to be anything in kldstat to indicate that
> any ipsec foo has been dynamically loaded.  Indeed, there
> doesn't seem to be anything in sysctl -a relating to ipsec
> either: does that mean that it somehow *is* disabled?
> 
> Any other thoughts on how to improve my situation?
> 
> Cheers,
>