vpnc on OpenBSD (working), was: Re: [vpnc-devel] preparing next release (0.3.3)

Hans-Werner Hilse hilse at web.de
Fri May 20 22:07:11 CEST 2005


Hi Maurice,

On Do, 5.05.2005, 20:04, Maurice Massar sagte:

> I have made some updates to svn the last few days and will make a
> release soon. Can someone runnning Free-/Net-/OpenBSD or Solaris tell me
> if the new vpn-script works at all? (o:

I just wanted to give a short information about how to get vpnc 0.3.3
running on OpenBSD (3.7, actually, but that should be similar with earlier
versions):

- the script fails: A few calls ( e.g. "for((" ) fail with csh (OpenBSD's
/bin/sh), so i installed bash and modified the shebang accordingly
- the script still fails: That IPROUTE="`which ip 2> /dev/null`" doesn't
work:
"which" doesn't seem to write the error to the stderr, but to the stdout
instead. So you'd end up with the error there. I moved that to the "Linux"
section below and set it to "" if not on Linux.

- yep, it works. But only until first packets are exchanged. This may
differ depending on the OpenBSD version:
- The problem actually seems to be the OpenBSD kernel. It seems that the
kernel interrupts the UDP-encapsulated ESP packets. I've had a hard time
to find this out as there was no indication where the packets go (they
were visible on the incoming interface but not reaching the "poll" call).
At first sight, it seemed to be a routing problem.
- Simple solution: edit your sysctl.conf!
---snip
net.inet.esp.enable=0           # 0=Disable the ESP IPsec protocol
net.inet.ah.enable=0            # 0=Disable the AH IPsec protocol
net.inet.esp.udpencap=0         # 0=Disable ESP-in-UDP encapsulation
---snip

disclaimer: I don't know if disabling esp/ah is actually really necessary.
_And_ I don't know if the last problem occurs if one doesn't use UDP
encapsulation.

I've found some descriptions of the error on the net but noone suggested a
solution. Maybe it's worth a notice on the vpnc home page? Anyone to try
raw-ESP on OpenBSD without those sysctls?

HWH



More information about the vpnc-devel mailing list