-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathBUGS
88 lines (65 loc) · 3.6 KB
/
BUGS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
$Id: BUGS,v 1.30 2009/03/26 04:26:00 fukumoto Exp $
common issues
+ Lifetime of byte only works on Linux based OS, though racoon2 will
exchange the lifetime of byte during its negotiation. It is not
a matter of racoon2. The kernel code has to be fixed in order to use
this function.
+ NetBSD kernel that enabled NAT-T, which you defined options IPSEC_NAT_T
when you built your kernel, can not send packets which triggered
keying when there is no NAT box between the communication. racoon2
can exchange a parameter with its peer, and racoon2 can install a
pair of SAs into the kernel, but the kernel seems not to find a
suitable SA. Currently, we are not thinking that this is a bug
of racoon2. This is most likely fixed in NetBSD > 8.0.
+ IKEv1 connections do not work after an IKEv2 connection has been
made without rebooting the system. It is not sufficient to restart
racoon2. The issue currently being investigated.
spmd(8)
+ In some configurations, spmd(8) does not install the desired
security policies into the kernel. The issue currently being
investigated.
iked(8)
+ "default" clause of configuration file is used for two purposes:
to provide default values for individual field for other sections
of configuration, and to specify default kmp configuration when
the responder received a message from unknown peer. In latter
case, when "default" clause lacks some necessary fields, error
message may be cryptic, since it is not checked by configuration
check routine of iked. (Probably it will result in "no proposal
chosen".)
+ SA bundles (e.g. AH+ESP) does not conform to protocol spec.
+ The certificate authentication method is not yet tested.
+ After rekeying IKE_SA, iked may spit some warning messages, if
the rekey negotiation or delete request was started from both
ends at once.
+ NAT-T is not available on Mac OS X. We could not specify the second
binding port (i.e. 4500), which are usually used for NAT-T. If you
specify it, racoon2 cannot send packets. So please use --disable-natt
when compiling.
+ IKEv1 NAT-T only works under limited situations in which
a user knows the outer address of the NAT box in advance and
configures the address into peers_ipaddr and peers_sa_ipaddr.
If you would like to use NAT-T automatically, please use IKEv2
protocol instead.
+ In IKEv1 phase 1, only Main mode is supported.
(Aggressive mode is not supported.)
+ Due to a Linux kernel bug (as of 2.6.22), IKEv1 Dead-Peer
Detection cannot be used on Linux. That is, non-zero dpd_delay
may NOT be specified in configuration.
+ DH negotiation with MODP Group 3072-bit and 6144-bit are broken
on x86 machines with some versions of OpenSSL. It probably appears
OpenSSL 0.9.8f and fixed in 0.9.8h. For more information, please
refer to
http://www.mail-archive.com/[email protected]/msg23228.html
kinkd(8)
+ User-to-User mode is not yet available (and thus the GETTGT command
and related payloads are not yet implemented).
+ Retrieving ticket is currently implemented as a blocking
operation. Therefore kinkd will be stalled for a while if there
is no answer from the KDC (the KDC is not responding, packets
are dropped, etc).
+ The replay cache is not preserved across restarts.
+ When linked with the MIT krb5 library, the credential cache size
(thus the virtual size of the daemon) will continue to grow and
never be reduced.
+ SA bundles (e.g. AH+ESP) in tunnel mode do not work.