On 10/25/13 20:40, Reyk Floeter wrote: > On 25.10.2013, at 12:08, Peter J. Philipp <[email protected]> wrote: > >> I've been trying to set up a second gif tunnel that's encrypted with >> ipsec (iked for key management), but I'm stuck on an error with iked. >> Here is what I see and have: >> >> # route -T 1 exec iked -f /etc/iked.conf2 >> # Oct 25 17:59:44 uranus iked[32297]: pfkey_reply: message: Network is >> unreachable >> Oct 25 17:59:44 uranus iked[32297]: fatal: pfkey_init: failed to block >> IPv6 traffic: Network is unreachable >> Oct 25 17:59:44 uranus iked[21552]: ikev1 exiting >> > > Can you try to run it with the command line option “-6" to disable the IPv6 > filter? > > Reyk >
Reyk, Thanks for replying/trying on my vaguely described problem. I did try -6 and it got stuck on inserting the SA flow with the same "Network is unreachable" error. What I've done in the meanwhile is add a 'V' flag to iked that takes the argument of an rdomain, I setsockopt this to only the udp sockets and it seems to be working. Problem now is that I can't run 2 iked together as one will wipe the others SA's and flows, and I'm trying to look at what I can do so it doesn't wipe it all at startup. I think the way I'm doing it is likely wrong but I can't write a config file addition to add rdomains just for the sockets on port 500 and 4500. Cheers, -peter >> >> # netstat -nrfinet -T1 >> Routing tables >> >> Internet: >> Destination Gateway Flags Refs Use Mtu Prio >> Iface >> 127/8 127.0.0.1 UGRS 0 0 33196 8 >> lo1 >> 127.0.0.1 127.0.0.1 UH 1 0 33196 4 >> lo1 >> 192.168.178/24 link#11 UC 2 0 - 4 >> urtwn0 >> 192.168.178.1 24:65:11:b8:ed:5e UHLc 0 3 - 4 >> urtwn0 >> 192.168.178.64 00:00:24:d0:1e:a4 UHLc 0 568 - 4 >> urtwn0 >> >> # pfctl -srules |grep rdomain >> pass out on rdomain 1 all flags S/SA >> pass in on rdomain 1 all flags S/SA >> >> Can anyone spot what I'm doing wrong? >> >> This is OpenBSD version 5.3 (still waiting for 5.4 to arrive in mail). >> >> -peter
