Bjoern,
Well now the puzzle deepens. I noticed about 5 minutes before your email
came through I have NO *ipsec* or *net.key* sysctls.
It's like the crypto subsystem isn't getting pulled in to my kernel
compile, even though its in the config. Whaaaat? I wonder if my src tree is
jacked. But how could the kernel build if it didn't have all the bits that
are in my kernel config? Maybe I pulled a src update in the middle of
someones commit? This is really weird.
Kernel Config of the server in question:
# $FreeBSD: stable/10/sys/amd64/conf/GENERIC 272313 2014-09-30 16:55:19Z bz
$
cpu HAMMER
ident PRIYANKA
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug
symbols
#makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace
support
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options TCP_OFFLOAD # TCP offload
options SCTP # Stream Control Transmission
Protocol
#options FFS # Berkeley Fast Filesystem
#options SOFTUPDATES # Enable FFS soft updates support
#options UFS_ACL # Support for access control lists
#options UFS_DIRHASH # Improve performance on big
directories
#options UFS_GJOURNAL # Enable gjournal-based UFS
journaling
#options QUOTA # Enable disk quotas for UFS
options MD_ROOT # MD is a potential root device
#options NFSCL # New Network Filesystem Client
#options NFSD # New Network Filesystem Server
#options NFSLOCKD # Network Lock Manager
#options NFS_ROOT # NFS usable as /, requires NFSCL
#options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires
PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
#options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD32 # Compatible with i386 binaries
#options COMPAT_FREEBSD4 # Compatible with FreeBSD4
#options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options COMPAT_FREEBSD6 # Compatible with FreeBSD6
#options COMPAT_FREEBSD7 # Compatible with FreeBSD7
#options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being
interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for
hwpmc(4)
options AUDIT # Security event auditing
options CAPABILITY_MODE # Capsicum capability mode
options CAPABILITIES # Capsicum capabilities
options PROCDESC # Support for process descriptors
options MAC # TrustedBSD MAC Framework
#options KDTRACE_FRAME # Ensure frames are compiled in
#options KDTRACE_HOOKS # Kernel DTrace hooks
options DDB_CTF # Kernel ELF linker loads CTF data
options INCLUDE_CONFIG_FILE # Include this file in kernel
options CAPABILITY_MODE # Enable Capsicum sandboxing support
options CAPABILITIES # ""
options PROCDESC # ""
# Debugging support. Always need this:
options KDB # Enable kernel debugger support.
options KDB_TRACE # Print a stack trace for a panic.
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
# CPU frequency control
device cpufreq
# Bus support.
device acpi
options ACPI_DMAR
device pci
# Floppy drives
#device fdc
# ATA controllers
device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
options ATA_STATIC_ID # Static device numbering
#device mvs # Marvell
88SX50XX/88SX60XX/88SX70XX/SoC SATA
#device siis # SiliconImage
SiI3124/SiI3132/SiI3531 SATA
# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct
ATA/SCSI access)
device ses # Enclosure Services (SES and
SAF-TE)
device ctl # CAM Target Layer
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
#device psm # PS/2 mouse
#device kbdmux # keyboard multiplexer
device vga # VGA video card driver
options VESA # Add support for VESA BIOS
Extensions (VBE)
device splash # Splash screen and screen saver
support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text
mode
# vt is the new video console driver
device vt
device vt_vga
device vt_efifb
device agp # support several AGP chipsets
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
NICs!
device miibus # MII bus support
device re # RealTek 8139C+/8169/8169S/8110S
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device padlock_rng # VIA Padlock RNG
device rdrand_rng # Intel Bull Mountain RNG
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying
(translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device xhci # XHCI PCI->USB interface (USB 3.0)
device usb # USB Bus (required)
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires
scbus and da
# Sound support
device sound # Generic sound driver (required)
device snd_hda # Intel High Definition Audio
# MMC/SD
#device mmc # MMC/SD bus
#device mmcsd # MMC/SD memory card
#device sdhci # Generic PCI SD Host Controller
# VirtIO support
device virtio # Generic VirtIO bus (required)
device virtio_pci # VirtIO PCI device
device vtnet # VirtIO Ethernet device
device virtio_blk # VirtIO Block device
device virtio_scsi # VirtIO SCSI device
device virtio_balloon # VirtIO Memory Balloon device
# HyperV drivers
device hyperv # HyperV drivers
# Xen HVM Guest Optimizations
# NOTE: XENHVM depends on xenpci. They must be added or removed together.
options XENHVM # Xen HVM kernel infrastructure
device xenpci # Xen HVM Hypervisor services driver
# VMware support
device vmx # VMware VMXNET3 Ethernet
# IPSec support
options IPSEC # Enable IPSec support
device crypto # Use the Crypto framework
device cryptodev
options IPSEC_FILTERTUNNEL # Allowing packet filtering on
tunneled packets
device enc # Support for the encapsulating
interface
On Thu, Jan 1, 2015 at 5:40 PM, Bjoern A. Zeeb <
bzeeb-lists at lists.zabbadoz.net> wrote:
>
> > On 01 Jan 2015, at 04:36 , Chris Watson <bsdunix44 at gmail.com>
wrote:
> >
> > So I have been running a stable ipsec tunnel between my MacBook Pro
and a
> > FreeBSD 10-stable server, I just rebuilt world today and raccoon has
> become
> > pissy and refuses to start, and as usual with ipsec, debugging it is
like
> > winning gold in the pain olympics. So here's the issue, my working
config
> > has not changed at all. I'm simply running a new FreeBSD 10-stable
> r276472
> > world + kernel. I have looked all over at UPDATING, source commits to
> > stable, google, etc and I can?t figure this error out.
>
> Do you know the old revision as well, to limit the search time?
>
>
> > Anytime I try to start racoon it looks like it starts but it
doesn't. The
> > only error I can get is to run it with "racoon -F -ddd -f
> > /usr/local/etc/racoon/racoon.conf", and I get the following
> >
> > "ERROR: libipsec failed pfkey open (Address family not supported
by
> > protocol family)
> > racoon: failed to initialize pfkey socket"
> >
> > Doing a "setkey -F" produces "pfkey_open: Address
family not supported by
> > protocol family?
>
>
> That smells like a raw socket issue to me. But the only changes there I
> can remember is that someone changed the source address selection but
> nothing that would trigger this.
>
> You could turn net.inet.ipsec.debug to 0xff and check that there is
> nothing in dmesg -a after trying to start racoon, just to rule that out.
>
> Also could you paste the output of `sysctl -a | grep ipsec` and `sysctl -a
> net.key` just trying to make sure ? ;-)
>
>
> ?
> Bjoern A. Zeeb Charles Haddon Spurgeon:
> "Friendship is one of the sweetest joys of life. Many might have
failed
> beneath the bitterness of their trial had they not found a friend."
>
>