> I've just turned on IPSec between two machines, an i386 and Alpha,
> both running very recent currents, each has the IPSEC and IPSEC_ESP
> config options set, but does not have IP6 support enabled. I used
> setkey and could establish what appear to be encrypted connections using
> vanilla telnet between the hosts, (can someone recommend a good packet
> sniffer to ensure this? tcpflow ignored connections between the ipsec
> hosts. I used tcpdump -x with a large snaplen and saw that sending a
> constant stream of the 0's yeilded the different packets.)
I recommend you to try libpcap-3.5 and tcpdump-3.5 obtained
from www.tcpdump.org.
As far as I tried it on the current, it successfully print out
IPv6 and IPsec related headers.
Please add --enable-ipv6 option for each configure.
To print out IPv6 packets,
tcpdump -i ifname -p ip6
To print out IPsec esp packets,
tcpdump -i ifname -p esp
> What is curious, though, is that during a telnet, running any command
> to dump a large amount of information to the screen will lock up the
> connection forcing me to login again. Similar things happen with ftp
> (locked up after logging in when I first issue an ls). The surest way
> to lock up teh connection is to go to /sys/compile/KERN and do an ls.
> Data piped to more (a screenful at a time) seems to be ok, but
> substancially more locks up TCP connections. This does not occur with
> NFS (I build a kernel using it).
I suppose something going wrong when multiple mbuf cluster is
used for encrypted TCP connection.
Because as I tried to cat several different sized files,
catting files bigger than around
2048(mbuf cluster size) minus protocol header size
seems to cause the problem.
Because mbuf cluster could be shared by multiple outstanding
packets, it might be encrypted by multiple times.
I'll investigate this further.
> I notice that setkey -D yeilds different numbers between the machines
> in terms of "current:" bytes.
That might be depends on the logging timing,
the bytes are counted after esp header removal on input
and with esp header on output.
I'll also check this further.
Thanks,
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
