From owner-freebsd-net@FreeBSD.ORG Sun Jul 12 13:23:09 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0F0D106564A for ; Sun, 12 Jul 2009 13:23:09 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from mail-ew0-f227.google.com (mail-ew0-f227.google.com [209.85.219.227]) by mx1.freebsd.org (Postfix) with ESMTP id 317E68FC16 for ; Sun, 12 Jul 2009 13:23:09 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by ewy27 with SMTP id 27so1037444ewy.43 for ; Sun, 12 Jul 2009 06:23:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:from:to :content-type:content-transfer-encoding:mime-version:subject:date :x-mailer; bh=Wey36DMl+Xa8UENqmLRX83zMO8gL6YvAHNpZ9WXYcFM=; b=oECFNmFKjWtWyfKGV5eJV6k+GzNbmO9XaVjMz0l3uL4VFGbXGgolHwk61X2GXj5lkY oPO0unGbUCOb1PQ0w/0i1g6qJJFjg6Ob2xa86rpE1Ykgb+KGThOxucviVCG8EK2diLqv oeRGNqVja71MOrucE5ebAiikIRMq4gEyK1M8w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:from:to:content-type:content-transfer-encoding :mime-version:subject:date:x-mailer; b=ir2DPI65DcQ+cp/68oAnh2EJx4SUxuHbrhLuru2GSHGA4E50q0AGqIthZaMQTdZl4K 76Wd0E/81u4JjDi8R+eYK1/t5+RsqHuUpGrhQ+KLeigMEXwwlpkacCDdUIfyoJgr7Mmd noVziXT3EFf+fuwyfJxQ1EJseeKCF0/wqSq6A= Received: by 10.210.110.5 with SMTP id i5mr4946448ebc.3.1247404988301; Sun, 12 Jul 2009 06:23:08 -0700 (PDT) Received: from ?192.168.1.135? (bl6-159-228.dsl.telepac.pt [82.155.159.228]) by mx.google.com with ESMTPS id 5sm6432430eyh.20.2009.07.12.06.23.06 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 12 Jul 2009 06:23:07 -0700 (PDT) Sender: Rui Paulo Message-Id: From: Rui Paulo To: FreeBSD-Net Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Sun, 12 Jul 2009 14:23:03 +0100 X-Mailer: Apple Mail (2.935.3) Subject: HEADS UP: projects/mesh11s committed to HEAD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 13:23:09 -0000 Hi, Just a heads up to note that 802.11s D3.0 support has been committed to HEAD. If you notice any wireless related problems, please inform me ASAP. Thanks, -- Rui Paulo From owner-freebsd-net@FreeBSD.ORG Sun Jul 12 19:00:52 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47B4B106566C for ; Sun, 12 Jul 2009 19:00:52 +0000 (UTC) (envelope-from LConrad@Go2France.com) Received: from mgw1.MEIway.com (mgw1.meiway.com [81.255.84.75]) by mx1.freebsd.org (Postfix) with ESMTP id 0B3628FC12 for ; Sun, 12 Jul 2009 19:00:52 +0000 (UTC) (envelope-from LConrad@Go2France.com) Received: from VirusGate.MEIway.com (virusgate.meiway.com [81.255.84.76]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 27A2B471DC3 for ; Sun, 12 Jul 2009 21:00:54 +0200 (CEST) Received: from mail.Go2France.com (ms1.meiway.com [81.255.84.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id 7C0223865B6 for ; Sun, 12 Jul 2009 21:00:54 +0200 (CEST) (envelope-from LConrad@Go2France.com) Received: from W500.Go2France.com [66.90.254.224] by mail.Go2France.com with ESMTP (SMTPD32-7.07) id AE84E57029E; Sun, 12 Jul 2009 20:42:12 +0200 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sun, 12 Jul 2009 14:00:34 -0500 To: freebsd-net@freebsd.org From: Len Conrad In-Reply-To: <200907120914.50095.mel.flynn+fbsd.questions@mailing.thruhe re.net> References: <200907101829.AA227541664@mail.Go2France.com> <200907120914.50095.mel.flynn+fbsd.questions@mailing.thruhere.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <200907122042515.SM01728@W500.Go2France.com> Subject: Re: dump hangs on 7.1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 19:00:52 -0000 >On Friday 10 July 2009 08:29:01 Len Conrad wrote: >> FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 >> root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >> >> CPU: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz (2496.26-MHz 686-class >> CPU) Origin = "GenuineIntel" Id = 0x1067a Stepping = 10 >> AMD Features=0x20100000 >> AMD Features2=0x1 >> Cores per package: 4 >> real memory = 3484745728 (3323 MB) >> avail memory = 3405537280 (3247 MB) >> ACPI APIC Table: >> FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs >> cpu0 (BSP): APIC ID: 0 >> cpu1 (AP): APIC ID: 1 >> cpu2 (AP): APIC ID: 2 >> cpu3 (AP): APIC ID: 3 >> >> >> /sbin/dump -0uanL -f - / | ssh dump_images@xxx.net dd >> of=/var/ftp/dump_images/mx1-root-test >> >> dump has completed only once. Several other dumps have all gotten under >> way, target file is created and increases until the hang. >> >> CTRL-C gets back to shell,eg: >> >> DUMP: Date of this level 0 dump: Fri Jul 10 10:25:33 2009 >> DUMP: Date of last level 0 dump: the epoch >> DUMP: Dumping snapshot of /dev/da0s1d (/usr) to standard output >> DUMP: mapping (Pass I) [regular files] >> DUMP: mapping (Pass II) [directories] >> DUMP: estimated 1713942 tape blocks. >> DUMP: dumping (Pass III) [directories] >> DUMP: dumping (Pass IV) [regular files] >> ^C DUMP: Interrupt received. >> DUMP: Do you want to abort dump?: ("yes" or "no") Killed by signal 2. >> DUMP: Broken pipe >> DUMP: The ENTIRE dump is aborted. >> >> Hangs always in Pass IV > >What's the output ps -auwwx|grep dump at the time of the dump. when the dump hangs: ps auxww | grep dump root 61360 0.0 0.0 3128 1168 p0 I+ 1:47PM 0:00.06 /sbin/dump -0uanL -f - / (dump) root 61361 0.0 0.1 5560 2768 p0 I+ 1:47PM 0:03.65 ssh xxx@xxx.net dd of=/var/ftp/dump_images/mx1-root-test root 61364 0.0 0.0 3128 1528 p0 I+ 1:47PM 0:00.36 dump: /dev/da0s1a: pass 4: 92.66% done, finished in 0:00 at Sun Jul 12 13:47:52 2009 (dump) root 61365 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dump -0uanL -f - / (dump) root 61366 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dump -0uanL -f - / (dump) root 61367 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dump -0uanL -f - / (dump) root 61382 0.0 0.0 1660 900 p1 R+ 1:48PM 0:00.00 grep dump ======== btw, with dump and dar failing, I tried rdiff-backup which succeeded. Thanks Len From owner-freebsd-net@FreeBSD.ORG Sun Jul 12 19:28:29 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 820461065672; Sun, 12 Jul 2009 19:28:29 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by mx1.freebsd.org (Postfix) with ESMTP id 6176D8FC0C; Sun, 12 Jul 2009 19:28:29 +0000 (UTC) (envelope-from qing.li@bluecoat.com) Received: from bcs-mail03.internal.cacheflow.com ([10.2.2.95]) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id n6CJSSxL009745; Sun, 12 Jul 2009 12:28:28 -0700 (PDT) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 12 Jul 2009 12:21:32 -0700 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 8.0-BETA1 - for the record - different paths followed by IPv4 and IPv6 for 'local' connections Thread-Index: AcoCD7nm0QOYQHIsS0ibc0bZM9LvQwBFjzrm References: <4A5734C3.3000806@restart.be> <4A5864DC.1070106@restart.be> From: "Li, Qing" To: "Henri Hennebert" Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-stable@freebsd.org Subject: RE: 8.0-BETA1 - for the record - different paths followed by IPv4 and IPv6 for 'local' connections X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 19:28:30 -0000 The patch has been committed, svn revision 195643. Thanks, -- Qing -----Original Message----- From: Henri Hennebert [mailto:hlh@restart.be] Sent: Sat 7/11/2009 3:09 AM To: Li, Qing Cc: freebsd-stable@freebsd.org; freebsd-net@freebsd.org Subject: Re: 8.0-BETA1 - for the record - different paths followed by = IPv4 and IPv6 for 'local' connections =20 Li, Qing wrote: > Hi, >=20 > Please try patch-7-10 in my home directory = http://people.freebsd.org/~qingli/ > and let me know how it works out for you. I thought I had committed = the patch=20 > but turned out I didn't. I apply the patch, reset my pf.conf to its previous content and all is=20 running smoothly. By the way, I discover after my post that my=20 "solution" was not working for long (many bytes) connections and this is = solved too. Many thank for your time Henri PS please commit as soon as possible >=20 >> On 8.0-BETA1 there is an assymetry: >> >> netstat -rn display >> >> 192.168.24.1 link#3 >> .... >> no entry for 2001:41d0:2:2d29:1:1:: >> >=20 > This is by design as part of the new architecture in 8.0, which = maintains=20 > the L2 ARP/ND6 and L3 routing tables separately. >=20 > -- Qing >=20 >=20 >=20 > -----Original Message----- > From: owner-freebsd-stable@freebsd.org on behalf of Henri Hennebert > Sent: Fri 7/10/2009 5:32 AM > To: freebsd-stable@freebsd.org; freebsd-st@freebsd.org > Subject: 8.0-BETA1 - for the record - different paths followed by IPv4 = and IPv6 for 'local' connections > =20 > Hello, >=20 > After upgrading from 7.2-STABLE to 8.0-BETA1 I encounter a problem = when=20 > connecting with firefox to a local apache server using the global=20 > unicast IPv6 address of the local machine. pf.conf must be updated! >=20 > My configuration: >=20 > [root@avoriaz ~]# ifconfig em0 >=20 > em0: flags=3D8843 metric 0 mtu = 1500 > options=3D19b > ether 00:1d:60:ad:2a:ce > inet 192.168.24.1 netmask 0xffffff00 broadcast 192.168.24.255 > inet6 fe80::21d:60ff:fead:2ace%em0 prefixlen 64 scopeid 0x1 > inet6 2001:41d0:2:2d29:1:1:: prefixlen 80 > media: Ethernet 100baseTX (100baseTX ) > status: active >=20 > [root@avoriaz ~]# host www.restart.bel > www.restart.bel is an alias for avoriaz.restart.bel. > avoriaz.restart.bel has address 192.168.24.1 > avoriaz.restart.bel has IPv6 address 2001:41d0:2:2d29:1:1:: >=20 > pf.conf: >=20 > int_if=3D"em0" > block in log all > block out log all > set skip on lo0 > antispoof quick for $int_if inet > # Allow trafic with physical internal network > pass in quick on $int_if from ($int_if:network) to ($int_if) keep = state > pass out quick on $int_if from ($int_if) to ($int_if:network) keep = state >=20 > The problem: >=20 > [root@avoriaz ~]# telnet -4 www.restart.bel 80 > Trying 192.168.24.1... > Connected to avoriaz.restart.bel. > Escape character is '^]'. > ^] > telnet> quit > Connection closed. > [root@avoriaz ~]# telnet -6 www.restart.bel 80 > Trying 2001:41d0:2:2d29:1:1::... > --->Never connect and get a timeout! >=20 > tcpdump and logging in pf show me that >=20 > For a IPv4 connection: > the packet from telnet to apache pass 2 times on lo0 (out and in) > the answer packet from apache to telnet pass 2 times on lo0 (out and = in) >=20 > So no problem, there is `set skip on lo0' >=20 > For a IPv6 connection: > The first packet from telnet to apache pass 2 times on lo0 (out and = in) > The answer packet from apache to telnet path on em0 and is rejected > due to the default flags S/SA. >=20 > So I have to change pf.conf and replace the last line: > pass out quick on $int_if from ($int_if) to ($int_if:network) \ > keep state flags any >=20 > Then all is OK >=20 > By the way, on 7.2 >=20 > netstat -rn display >=20 > 192.168.24.1 00:1d:60:ad:2a:ce > .... > 2001:41d0:2:2d29:1:1:: 00:1d:60:ad:2a:ce >=20 >=20 > On 8.0-BETA1 there is an assymetry: >=20 > netstat -rn display >=20 > 192.168.24.1 link#3 > .... > no entry for 2001:41d0:2:2d29:1:1:: >=20 > Hope it may help someone >=20 > Henri >=20 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org" >=20 From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 07:13:38 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96C2A1065672 for ; Mon, 13 Jul 2009 07:13:38 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-ew0-f211.google.com (mail-ew0-f211.google.com [209.85.219.211]) by mx1.freebsd.org (Postfix) with ESMTP id ED6C68FC12 for ; Mon, 13 Jul 2009 07:13:37 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: by ewy7 with SMTP id 7so3892ewy.43 for ; Mon, 13 Jul 2009 00:13:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=r9W/H9dy9gWVd6TWw0D+70NTDt3o71AqlI8qH4TJTwM=; b=EbpgB/I39nZTznoi5DosRACQLwgv2jYt41RTNenevhNFs/h0nQ+BWXo2kQfLFCCmP9 cPmnZfglRRAp7K01T7V3JvXAQ8i41k8dpYLwb+ninhQhbGgxOsJ94kwayAVNRnNkBeyN wNiQW3tl1A/cqSOAsA2+jsJ9OFfCU5if7qy/Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=a8cWdR4+bEE4+2klutT7fkfkNWotTl277ukMjIM2j6Y7xli4KNMp7km3GLdrXCJKHQ E2sI9gL+FWKQPbRNWqnyK6zICIiAGJXhfMfWduY6nb8Bk0Ju90A7AW92eKbc/5TSvUPy firkzCrtO+H0lqpoaaqap0jQV3JivwZvydAcQ= MIME-Version: 1.0 Received: by 10.210.89.7 with SMTP id m7mr5801499ebb.77.1247467317414; Sun, 12 Jul 2009 23:41:57 -0700 (PDT) In-Reply-To: References: <200907101829.AA227541664@mail.Go2France.com> <200907120914.50095.mel.flynn+fbsd.questions@mailing.thruhere.net> <200907122042515.SM01728@W500.Go2France.com> Date: Mon, 13 Jul 2009 08:41:57 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Fwd: dump hangs on 7.1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 07:13:38 -0000 Hi, I had a similar error with 7.0, and found reference that there was problem(as far as I can remember there was an issue with large disk I/O and creating snapshots on the partition). Dump was creating the files, and it hanged, sometimes it finishes like once in ten for small partitions. Every time hangs at pass 4, but for me sometimes it was unable to get back to the shell with ctrl + c, I had to close my ssh session, but I could fine the dump session in ps -ax. I had the generic kernel, and I user freebsd-update to update to 7.2, now it's working like a charm! Because you don't have dump, please backup your system with another utility before even thinking about the update, or you can still wait for the others to tell you something useful. Maybe some vmstat / gstat detail could be helpful to look up the resource usage when dump hangs? Best Regards, Bal=E1zs. 2009/7/12 Len Conrad > >On Friday 10 July 2009 08:29:01 Len Conrad wrote: > >> FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 > >> root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > >> > >> CPU: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz (2496.26-MHz > 686-class > >> CPU) Origin =3D "GenuineIntel" Id =3D 0x1067a Stepping =3D 10 > >> AMD Features=3D0x20100000 > >> AMD Features2=3D0x1 > >> Cores per package: 4 > >> real memory =3D 3484745728 (3323 MB) > >> avail memory =3D 3405537280 (3247 MB) > >> ACPI APIC Table: > >> FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs > >> cpu0 (BSP): APIC ID: 0 > >> cpu1 (AP): APIC ID: 1 > >> cpu2 (AP): APIC ID: 2 > >> cpu3 (AP): APIC ID: 3 > >> > >> > >> /sbin/dump -0uanL -f - / | ssh dump_images@xxx.net dd > >> of=3D/var/ftp/dump_images/mx1-root-test > >> > >> dump has completed only once. Several other dumps have all gotten unde= r > >> way, target file is created and increases until the hang. > >> > >> CTRL-C gets back to shell,eg: > >> > >> DUMP: Date of this level 0 dump: Fri Jul 10 10:25:33 2009 > >> DUMP: Date of last level 0 dump: the epoch > >> DUMP: Dumping snapshot of /dev/da0s1d (/usr) to standard output > >> DUMP: mapping (Pass I) [regular files] > >> DUMP: mapping (Pass II) [directories] > >> DUMP: estimated 1713942 tape blocks. > >> DUMP: dumping (Pass III) [directories] > >> DUMP: dumping (Pass IV) [regular files] > >> ^C DUMP: Interrupt received. > >> DUMP: Do you want to abort dump?: ("yes" or "no") Killed by signal 2= . > >> DUMP: Broken pipe > >> DUMP: The ENTIRE dump is aborted. > >> > >> Hangs always in Pass IV > > > >What's the output ps -auwwx|grep dump at the time of the dump. > > when the dump hangs: > > ps auxww | grep dump > > root 61360 0.0 0.0 3128 1168 p0 I+ 1:47PM 0:00.06 /sbin/dum= p > -0uanL -f - / (dump) > > root 61361 0.0 0.1 5560 2768 p0 I+ 1:47PM 0:03.65 ssh > xxx@xxx.net dd of=3D/var/ftp/dump_images/mx1-root-test > > root 61364 0.0 0.0 3128 1528 p0 I+ 1:47PM 0:00.36 dump: > /dev/da0s1a: pass 4: 92.66% done, finished in 0:00 at Sun Jul 12 13:47:52 > 2009 (dump) > > root 61365 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dum= p > -0uanL -f - / (dump) > > root 61366 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dum= p > -0uanL -f - / (dump) > > root 61367 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dum= p > -0uanL -f - / (dump) > > root 61382 0.0 0.0 1660 900 p1 R+ 1:48PM 0:00.00 grep dump > > =3D=3D=3D=3D=3D=3D=3D=3D > > btw, with dump and dar failing, I tried rdiff-backup which succeeded. > > Thanks > Len > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 07:17:28 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88901106566B for ; Mon, 13 Jul 2009 07:17:28 +0000 (UTC) (envelope-from freebsdusb@bindone.de) Received: from mail.bindone.de (mail.bindone.de [80.190.134.51]) by mx1.freebsd.org (Postfix) with SMTP id 018638FC1A for ; Mon, 13 Jul 2009 07:17:27 +0000 (UTC) (envelope-from freebsdusb@bindone.de) Received: (qmail 69331 invoked by uid 89); 13 Jul 2009 07:17:26 -0000 Received: from unknown (HELO ufo.bindone.de) (mg@bindone.de@87.152.176.159) by mail.bindone.de with ESMTPA; 13 Jul 2009 07:17:26 -0000 Message-ID: <4A5ADF84.7040506@bindone.de> Date: Mon, 13 Jul 2009 09:17:24 +0200 From: Michael Gmelin User-Agent: Thunderbird 2.0.0.17pre (X11/20090202) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Bal=E1zs_M=E1t=E9ffy?= References: <200907101829.AA227541664@mail.Go2France.com> <200907120914.50095.mel.flynn+fbsd.questions@mailing.thruhere.net> <200907122042515.SM01728@W500.Go2France.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: Fwd: dump hangs on 7.1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 07:17:29 -0000 The problem you're referring to was fixed in 7.1 (we had the same issues in 7.0 i386), so I don't think this is the problem Len is facing. Balázs Mátéffy wrote: > Hi, > > I had a similar error with 7.0, and found reference that there was > problem(as far as I can remember there was an issue with large disk I/O and > creating snapshots on the partition). > Dump was creating the files, and it hanged, sometimes it finishes like once > in ten for small partitions. Every time hangs at pass 4, but for me > sometimes it was unable to get back to the shell with ctrl + c, I had to > close my ssh session, but I could fine the dump session in ps -ax. > > I had the generic kernel, and I user freebsd-update to update to 7.2, now > it's working like a charm! > > Because you don't have dump, please backup your system with another utility > before even thinking about the update, or you can still wait for the others > to tell you something useful. > > Maybe some vmstat / gstat detail could be helpful to look up the resource > usage when dump hangs? > > Best Regards, > > Balázs. > > > > 2009/7/12 Len Conrad > > >>> On Friday 10 July 2009 08:29:01 Len Conrad wrote: >>>> FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 >>>> root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >>>> >>>> CPU: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz (2496.26-MHz >> 686-class >>>> CPU) Origin = "GenuineIntel" Id = 0x1067a Stepping = 10 >>>> AMD Features=0x20100000 >>>> AMD Features2=0x1 >>>> Cores per package: 4 >>>> real memory = 3484745728 (3323 MB) >>>> avail memory = 3405537280 (3247 MB) >>>> ACPI APIC Table: >>>> FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs >>>> cpu0 (BSP): APIC ID: 0 >>>> cpu1 (AP): APIC ID: 1 >>>> cpu2 (AP): APIC ID: 2 >>>> cpu3 (AP): APIC ID: 3 >>>> >>>> >>>> /sbin/dump -0uanL -f - / | ssh dump_images@xxx.net dd >>>> of=/var/ftp/dump_images/mx1-root-test >>>> >>>> dump has completed only once. Several other dumps have all gotten under >>>> way, target file is created and increases until the hang. >>>> >>>> CTRL-C gets back to shell,eg: >>>> >>>> DUMP: Date of this level 0 dump: Fri Jul 10 10:25:33 2009 >>>> DUMP: Date of last level 0 dump: the epoch >>>> DUMP: Dumping snapshot of /dev/da0s1d (/usr) to standard output >>>> DUMP: mapping (Pass I) [regular files] >>>> DUMP: mapping (Pass II) [directories] >>>> DUMP: estimated 1713942 tape blocks. >>>> DUMP: dumping (Pass III) [directories] >>>> DUMP: dumping (Pass IV) [regular files] >>>> ^C DUMP: Interrupt received. >>>> DUMP: Do you want to abort dump?: ("yes" or "no") Killed by signal 2. >>>> DUMP: Broken pipe >>>> DUMP: The ENTIRE dump is aborted. >>>> >>>> Hangs always in Pass IV >>> What's the output ps -auwwx|grep dump at the time of the dump. >> when the dump hangs: >> >> ps auxww | grep dump >> >> root 61360 0.0 0.0 3128 1168 p0 I+ 1:47PM 0:00.06 /sbin/dump >> -0uanL -f - / (dump) >> >> root 61361 0.0 0.1 5560 2768 p0 I+ 1:47PM 0:03.65 ssh >> xxx@xxx.net dd of=/var/ftp/dump_images/mx1-root-test >> >> root 61364 0.0 0.0 3128 1528 p0 I+ 1:47PM 0:00.36 dump: >> /dev/da0s1a: pass 4: 92.66% done, finished in 0:00 at Sun Jul 12 13:47:52 >> 2009 (dump) >> >> root 61365 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dump >> -0uanL -f - / (dump) >> >> root 61366 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dump >> -0uanL -f - / (dump) >> >> root 61367 0.0 0.0 3128 1184 p0 I+ 1:47PM 0:00.29 /sbin/dump >> -0uanL -f - / (dump) >> >> root 61382 0.0 0.0 1660 900 p1 R+ 1:48PM 0:00.00 grep dump >> >> ======== >> >> btw, with dump and dar failing, I tried rdiff-backup which succeeded. >> >> Thanks >> Len >> >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 11:07:01 2009 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAA891065677 for ; Mon, 13 Jul 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B640B8FC12 for ; Mon, 13 Jul 2009 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6DB71Po040705 for ; Mon, 13 Jul 2009 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6DB70vh040701 for freebsd-net@FreeBSD.org; Mon, 13 Jul 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Jul 2009 11:07:00 GMT Message-Id: <200907131107.n6DB70vh040701@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/136618 net [pf][stf] panic on cloning interface without unit numb o kern/136482 net [age] Attansic L1 Gigabit Ethernet recieves multicasts o kern/136168 net [em] em driver initialization fails on Intel 5000PSL m o kern/135836 net [bce] bce BCM5709 Watchdog after warm boot - ok after o kern/135502 net [periodic] Warning message raised by rtfree function i o kern/135222 net [igb] low speed routing between two igb interfaces o kern/135067 net [patch] [fib] Incorrect KASSERTs in sys/net/route.c o kern/134931 net [route] [fib] Route messages sent to all socket listen o kern/134658 net [bce] bce driver fails on PowerEdge m610 blade. o kern/134583 net [hang] Machine with jail freezes after random amount o o kern/134531 net [route] [panic] kernel crash related to routes/zebra o kern/134401 net [msk] [panic] Kernel Fatal trap 12: page fault while i o kern/134369 net [route] [ip6] IPV6 in Head broken for routing table up o kern/134168 net [ral] ral driver problem on RT2525 2.4GHz transceiver o kern/134157 net [dummynet] dummynet loads cpu for 100% and make a syst o kern/134079 net [em] "em0: Invalid MAC address" in FreeBSD-Current ( 8 o kern/133969 net [dummynet] [panic] Fatal trap 12: page fault while in o kern/133968 net [dummynet] [panic] dummynet kernel panic o kern/133902 net [tun] Killing tun0 iface ssh tunnel causes Panic Strin o kern/133736 net [udp] ip_id not protected ... o kern/133613 net [wpi] [panic] kernel panic in wpi(4) o kern/133595 net [panic] Kernel Panic at pcpu.h:195 o kern/133572 net [ppp] [hang] incoming PPTP connection hangs the system o kern/133490 net [bpf] [panic] 'kmem_map too small' panic on Dell r900 o kern/133328 net [bge] [panic] Kernel panics with Windows7 client o kern/133235 net [netinet] [patch] Process SIOCDLIFADDR command incorre o kern/133218 net [carp] [hang] use of carp(4) causes system to freeze o kern/133204 net [msk] msk driver timeouts o kern/133060 net [ipsec] [pfsync] [panic] Kernel panic with ipsec + pfs o kern/132991 net [bge] if_bge low performance problem o kern/132984 net [netgraph] swi1: net 100% cpu usage f bin/132911 net ip6fw(8): argument type of fill_icmptypes is wrong and o kern/132889 net [ndis] [panic] NDIS kernel crash on load BCM4321 AGN d o kern/132885 net [wlan] 802.1x broken after SVN rev 189592 o conf/132851 net [fib] [patch] allow to setup fib for service running f o kern/132832 net [netinet] [patch] tcp_output() might generate invalid o bin/132798 net [patch] ggatec(8): ggated/ggatec connection slowdown p o kern/132734 net [ifmib] [panic] panic in net/if_mib.c o kern/132722 net [ath] Wifi ath0 associates fine with AP, but DHCP or I o kern/132705 net [libwrap] [patch] libwrap - infinite loop if hosts.all o kern/132672 net [ndis] [panic] ndis with rt2860.sys causes kernel pani o kern/132669 net [xl] 3c905-TX send DUP! in reply on ping (sometime) o kern/132625 net [iwn] iwn drivers don't support setting country o kern/132554 net [ipl] There is no ippool start script/ipfilter magic t o kern/132354 net [nat] Getting some packages to ipnat(8) causes crash o kern/132285 net [carp] alias gives incorrect hash in dmesg o kern/132277 net [crypto] [ipsec] poor performance using cryptodevice f o conf/132179 net [patch] /etc/network.subr: ipv6 rtsol on incorrect wla o kern/132107 net [carp] carp(4) advskew setting ignored when carp IP us o kern/131781 net [ndis] ndis keeps dropping the link o kern/131776 net [wi] driver fails to init o kern/131753 net [altq] [panic] kernel panic in hfsc_dequeue o bin/131567 net [socket] [patch] Update for regression/sockets/unix_cm o kern/131549 net ifconfig(8) can't clear 'monitor' mode on the wireless o kern/131536 net [netinet] [patch] kernel does allow manipulation of su o bin/131365 net route(8): route add changes interpretation of network o kern/131162 net [ath] Atheros driver bugginess and kernel crashes o kern/131153 net [iwi] iwi doesn't see a wireless network f kern/131087 net [ipw] [panic] ipw / iwi - no sent/received packets; iw f kern/130820 net [ndis] wpa_supplicant(8) returns 'no space on device' o kern/130628 net [nfs] NFS / rpc.lockd deadlock on 7.1-R o conf/130555 net [rc.d] [patch] No good way to set ipfilter variables a o kern/130525 net [ndis] [panic] 64 bit ar5008 ndisgen-erated driver cau o kern/130311 net [wlan_xauth] [panic] hostapd restart causing kernel pa o kern/130109 net [ipfw] Can not set fib for packets originated from loc f kern/130059 net [panic] Leaking 50k mbufs/hour o kern/129750 net [ath] Atheros AR5006 exits on "cannot map register spa f kern/129719 net [nfs] [panic] Panic during shutdown, tcp_ctloutput: in o kern/129580 net [ndis] Netgear WG311v3 (ndis) causes kenel trap at boo o kern/129517 net [ipsec] [panic] double fault / stack overflow o kern/129508 net [carp] [panic] Kernel panic with EtherIP (may be relat o kern/129352 net [xl] [patch] xl0 watchdog timeout o kern/129219 net [ppp] Kernel panic when using kernel mode ppp o kern/129197 net [panic] 7.0 IP stack related panic o kern/129135 net [vge] vge driver on a VIA mini-ITX not working o bin/128954 net ifconfig(8) deletes valid routes o kern/128917 net [wpi] [panic] if_wpi and wpa+tkip causing kernel panic o kern/128884 net [msk] if_msk page fault while in kernel mode o kern/128840 net [igb] page fault under load with igb/LRO o bin/128602 net [an] wpa_supplicant(8) crashes with an(4) o kern/128598 net [bluetooth] WARNING: attempt to net_add_domain(bluetoo o kern/128448 net [nfs] 6.4-RC1 Boot Fails if NFS Hostname cannot be res o conf/128334 net [request] use wpa_cli in the "WPA DHCP" situation o bin/128295 net [patch] ifconfig(8) does not print TOE4 or TOE6 capabi o bin/128001 net wpa_supplicant(8), wlan(4), and wi(4) issues o kern/127928 net [tcp] [patch] TCP bandwidth gets squeezed every time t o kern/127834 net [ixgbe] [patch] wrong error counting o kern/127826 net [iwi] iwi0 driver has reduced performance and connecti o kern/127815 net [gif] [patch] if_gif does not set vlan attributes from o kern/127724 net [rtalloc] rtfree: 0xc5a8f870 has 1 refs f bin/127719 net [arp] arp: Segmentation fault (core dumped) s kern/127587 net [bge] [request] if_bge(4) doesn't support BCM576X fami f kern/127528 net [icmp]: icmp socket receives icmp replies not owned by o bin/127192 net routed(8) removes the secondary alias IP of interface f kern/127145 net [wi]: prism (wi) driver crash at bigger traffic o kern/127102 net [wpi] Intel 3945ABG low throughput o kern/127057 net [udp] Unable to send UDP packet via IPv6 socket to IPv o kern/127050 net [carp] ipv6 does not work on carp interfaces [regressi o kern/126945 net [carp] CARP interface destruction with ifconfig destro o kern/126924 net [an] [patch] printf -> device_printf and simplify prob o kern/126895 net [patch] [ral] Add antenna selection (marked as TBD) o kern/126874 net [vlan]: Zebra problem if ifconfig vlanX destroy o bin/126822 net wpa_supplicant(8): WPA PSK does not work in adhoc mode o kern/126714 net [carp] CARP interface renaming makes system no longer o kern/126695 net rtfree messages and network disruption upon use of if_ o kern/126688 net [ixgbe] [patch] 1.4.7 ixgbe driver panic with 4GB and o kern/126475 net [ath] [panic] ath pcmcia card inevitably panics under o kern/126339 net [ipw] ipw driver drops the connection o kern/126214 net [ath] txpower problem with Atheros wifi card o kern/126075 net [inet] [patch] internet control accesses beyond end of o bin/125922 net [patch] Deadlock in arp(8) o kern/125920 net [arp] Kernel Routing Table loses Ethernet Link status o kern/125845 net [netinet] [patch] tcp_lro_rx() should make use of hard o kern/125816 net [carp] [if_bridge] carp stuck in init when using bridg f kern/125502 net [ral] ifconfig ral0 scan produces no output unless in o kern/125258 net [socket] socket's SO_REUSEADDR option does not work o kern/125239 net [gre] kernel crash when using gre o kern/124767 net [iwi] Wireless connection using iwi0 driver (Intel 220 o kern/124753 net [ieee80211] net80211 discards power-save queue packets o kern/124341 net [ral] promiscuous mode for wireless device ral0 looses o kern/124160 net [libc] connect(2) function loops indefinitely o kern/124127 net [msk] watchdog timeout (missed Tx interrupts) -- recov o kern/124021 net [ip6] [panic] page fault in nd6_output() o kern/123968 net [rum] [panic] rum driver causes kernel panic with WPA. p kern/123961 net [vr] [patch] Allow vr interface to handle vlans o kern/123892 net [tap] [patch] No buffer space available o kern/123890 net [ppp] [panic] crash & reboot on work with PPP low-spee o kern/123858 net [stf] [patch] stf not usable behind a NAT o kern/123796 net [ipf] FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not o bin/123633 net ifconfig(8) doesn't set inet and ether address in one f kern/123617 net [tcp] breaking connection when client downloading file o kern/123603 net [tcp] tcp_do_segment and Received duplicate SYN o kern/123559 net [iwi] iwi periodically disassociates/associates [regre o bin/123465 net [ip6] route(8): route add -inet6 -interfac o kern/123463 net [ipsec] [panic] repeatable crash related to ipsec-tool o kern/123429 net [nfe] [hang] "ifconfig nfe up" causes a hard system lo o kern/123347 net [bge] bge1: watchdog timeout -- linkstate changed to D o conf/123330 net [nsswitch.conf] Enabling samba wins in nsswitch.conf c o kern/123256 net [wpi] panic: blockable sleep lock with wpi(4) f kern/123172 net [bce] Watchdog timeout problems with if_bce o kern/123160 net [ip] Panic and reboot at sysctl kern.polling.enable=0 o kern/122989 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/122954 net [lagg] IPv6 EUI64 incorrectly chosen for lagg devices o kern/122928 net [em] interface watchdog timeouts and stops receiving p f kern/122839 net [multicast] FreeBSD 7 multicast routing problem p kern/122794 net [lagg] Kernel panic after brings lagg(8) up if NICs ar o kern/122780 net [lagg] tcpdump on lagg interface during high pps wedge o kern/122772 net [em] em0 taskq panic, tcp reassembly bug causes radix o kern/122743 net [mbuf] [panic] vm_page_unwire: invalid wire count: 0 o kern/122697 net [ath] Atheros card is not well supported o kern/122685 net It is not visible passing packets in tcpdump(1) o kern/122551 net [bge] Broadcom 5715S no carrier on HP BL460c blade usi o kern/122319 net [wi] imposible to enable ad-hoc demo mode with Orinoco o kern/122290 net [netgraph] [panic] Netgraph related "kmem_map too smal f kern/122252 net [ipmi] [bge] IPMI problem with BCM5704 (does not work o kern/122195 net [ed] Alignment problems in if_ed o kern/122058 net [em] [panic] Panic on em1: taskq o kern/122033 net [ral] [lor] Lock order reversal in ral0 at bootup [reg o bin/121895 net [patch] rtsol(8)/rtsold(8) doesn't handle managed netw o kern/121872 net [wpi] driver fails to attach on a fujitsu-siemens s711 s kern/121774 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/121706 net [netinet] [patch] "rtfree: 0xc4383870 has 1 refs" emit o kern/121624 net [em] [regression] Intel em WOL fails after upgrade to o kern/121555 net [panic] Fatal trap 12: current process = 12 (swi1: net o kern/121443 net [gif] [lor] icmp6_input/nd6_lookup o kern/121437 net [vlan] Routing to layer-2 address does not work on VLA o bin/121359 net [patch] ppp(8): fix local stack overflow in ppp o kern/121298 net [em] [panic] Fatal trap 12: page fault while in kernel o kern/121257 net [tcp] TSO + natd -> slow outgoing tcp traffic o kern/121181 net [panic] Fatal trap 3: breakpoint instruction fault whi o kern/121080 net [bge] IPv6 NUD problem on multi address config on bge0 o kern/120966 net [rum] kernel panic with if_rum and WPA encryption p docs/120945 net [patch] ip6(4) man page lacks documentation for TCLASS o kern/120566 net [request]: ifconfig(8) make order of arguments more fr o kern/120304 net [netgraph] [patch] netgraph source assumes 32-bit time o kern/120266 net [udp] [panic] gnugk causes kernel panic when closing U o kern/120232 net [nfe] [patch] Bring in nfe(4) to RELENG_6 o kern/120130 net [carp] [panic] carp causes kernel panics in any conste o bin/120060 net routed(8) deletes link-level routes in the presence of o kern/119945 net [rum] [panic] rum device in hostap mode, cause kernel o kern/119791 net [nfs] UDP NFS mount of aliased IP addresses from a Sol o kern/119617 net [nfs] nfs error on wpa network when reseting/shutdown f kern/119516 net [ip6] [panic] _mtx_lock_sleep: recursed on non-recursi o kern/119432 net [arp] route add -host -iface causes arp e o kern/119225 net [wi] 7.0-RC1 no carrier with Prism 2.5 wifi card [regr a bin/118987 net ifconfig(8): ifconfig -l (address_family) does not wor o sparc/118932 net [panic] 7.0-BETA4/sparc-64 kernel panic in rip_output a kern/118879 net [bge] [patch] bge has checksum problems on the 5703 ch o kern/118727 net [netgraph] [patch] [request] add new ng_pf module a kern/118238 net [bce] [patch] bce driver shows "no carrier" on Intel S s kern/117717 net [panic] Kernel panic with Bittorrent client. o kern/117448 net [carp] 6.2 kernel crash [regression] o kern/117423 net [vlan] Duplicate IP on different interfaces o bin/117339 net [patch] route(8): loading routing management commands o kern/117271 net [tap] OpenVPN TAP uses 99% CPU on releng_6 when if_tap o kern/117043 net [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM o kern/116837 net [tun] [panic] [patch] ifconfig tunX destroy: panic o kern/116747 net [ndis] FreeBSD 7.0-CURRENT crash with Dell TrueMobile o bin/116643 net [patch] [request] fstat(1): add INET/INET6 socket deta o kern/116328 net [bge]: Solid hang with bge interface o kern/116185 net [iwi] if_iwi driver leads system to reboot o kern/115239 net [ipnat] panic with 'kmem_map too small' using ipnat o kern/115019 net [netgraph] ng_ether upper hook packet flow stops on ad o kern/115002 net [wi] if_wi timeout. failed allocation (busy bit). ifco o kern/114915 net [patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f o kern/113895 net [xl] xl0 fails on 6.2-RELEASE but worked fine on 5.5-R o kern/112722 net [ipsec] [udp] IP v4 udp fragmented packet reject o kern/112686 net [patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o kern/112570 net [bge] packet loss with bge driver on BCM5704 chipset o bin/112557 net [patch] ppp(8) lock file should not use symlink name o kern/112528 net [nfs] NFS over TCP under load hangs with "impossible p o kern/111457 net [ral] ral(4) freeze o kern/110140 net [ipw] ipw fails under load o kern/109733 net [bge] bge link state issues [regression] o kern/109470 net [wi] Orinoco Classic Gold PC Card Can't Channel Hop o kern/109308 net [pppd] [panic] Multiple panics kernel ppp suspected [r o kern/109251 net [re] [patch] if_re cardbus card won't attach o bin/108895 net pppd(8): PPPoE dead connections on 6.2 [regression] o kern/108542 net [bce] Huge network latencies with 6.2-RELEASE / STABLE o kern/107944 net [wi] [patch] Forget to unlock mutex-locks o kern/107850 net [bce] bce driver link negotiation is faulty o conf/107035 net [patch] bridge(8): bridge interface given in rc.conf n o kern/106438 net [ipf] ipfilter: keep state does not seem to allow repl o kern/106316 net [dummynet] dummynet with multipass ipfw drops packets o kern/106243 net [nve] double fault panic in if_nve.c on high loads o kern/105945 net Address can disappear from network interface s kern/105943 net Network stack may modify read-only mbuf chain copies o bin/105925 net problems with ifconfig(8) and vlan(4) [regression] o kern/105348 net [ath] ath device stopps TX o kern/104851 net [inet6] [patch] On link routes not configured when usi o kern/104751 net [netgraph] kernel panic, when getting info about my tr o kern/104485 net [bge] Broadcom BCM5704C: Intermittent on newer chip ve o kern/103191 net Unpredictable reboot o kern/103135 net [ipsec] ipsec with ipfw divert (not NAT) encodes a pac o conf/102502 net [netgraph] [patch] ifconfig name does't rename netgrap o kern/102035 net [plip] plip networking disables parallel port printing o kern/101948 net [ipf] [panic] Kernel Panic Trap No 12 Page Fault - cau o kern/100709 net [libc] getaddrinfo(3) should return TTL info o kern/100519 net [netisr] suggestion to fix suboptimal network polling o kern/98978 net [ipf] [patch] ipfilter drops OOW packets under 6.1-Rel o kern/98597 net [inet6] Bug in FreeBSD 6.1 IPv6 link-local DAD procedu o bin/98218 net wpa_supplicant(8) blacklist not working f bin/97392 net ppp(8) hangs instead terminating o kern/97306 net [netgraph] NG_L2TP locks after connection with failed f kern/96268 net [socket] TCP socket performance drops by 3000% if pack o kern/96030 net [bfe] [patch] Install hangs with Broadcomm 440x NIC in o kern/95519 net [ral] ral0 could not map mbuf o kern/95288 net [pppd] [tty] [panic] if_ppp panic in sys/kern/tty_subr o kern/95277 net [netinet] [patch] IP Encapsulation mask_match() return o kern/95267 net packet drops periodically appear s kern/94863 net [bge] [patch] hack to get bge(4) working on IBM e326m o kern/94162 net [bge] 6.x kenel stale with bge(4) o kern/93886 net [ath] Atheros/D-Link DWL-G650 long delay to associate f kern/93378 net [tcp] Slow data transfer in Postfix and Cyrus IMAP (wo o kern/93019 net [ppp] ppp and tunX problems: no traffic after restarti o kern/92880 net [libc] [patch] almost rewritten inet_network(3) functi f kern/92552 net A serious bug in most network drivers from 5.X to 6.X s kern/92279 net [dc] Core faults everytime I reboot, possible NIC issu o kern/92090 net [bge] bge0: watchdog timeout -- resetting o kern/91859 net [ndis] if_ndis does not work with Asus WL-138 s kern/91777 net [ipf] [patch] wrong behaviour with skip rule inside an o kern/91594 net [em] FreeBSD > 5.4 w/ACPI fails to detect Intel Pro/10 o kern/91364 net [ral] [wep] WF-511 RT2500 Card PCI and WEP o kern/91311 net [aue] aue interface hanging o kern/90890 net [vr] Problems with network: vr0: tx shutdown timeout s kern/90086 net [hang] 5.4p8 on supermicro P8SCT hangs during boot if f kern/88082 net [ath] [panic] cts protection for ath0 causes panic o kern/87521 net [ipf] [panic] using ipfilter "auth" keyword leads to k o kern/87506 net [vr] [patch] Fix alias support on vr interfaces s kern/86920 net [ndis] ifconfig: SIOCS80211: Invalid argument [regress o kern/86103 net [ipf] Illegal NAT Traversal in IPFilter o kern/85780 net 'panic: bogus refcnt 0' in routing/ipv6 o bin/85445 net ifconfig(8): deprecated keyword to ifconfig inoperativ o kern/85266 net [xe] [patch] xe(4) driver does not recognise Xircom XE o kern/84202 net [ed] [patch] Holtek HT80232 PCI NIC recognition on Fre o bin/82975 net route change does not parse classfull network as given o kern/82497 net [vge] vge(4) on AMD64 only works when loaded late, not f kern/81644 net [vge] vge(4) does not work properly when loaded as a K s kern/81147 net [net] [patch] em0 reinitialization while adding aliase o kern/80853 net [ed] [patch] add support for Compex RL2000/ISA in PnP o kern/79895 net [ipf] 5.4-RC2 breaks ipfilter NAT when using netgraph f kern/79262 net [dc] Adaptec ANA-6922 not fully supported o bin/79228 net [patch] extend arp(8) to be able to create blackhole r o kern/78090 net [ipf] ipf filtering on bridged packets doesn't work if p kern/77913 net [wi] [patch] Add the APDL-325 WLAN pccard to wi(4) o kern/77341 net [ip6] problems with IPV6 implementation o kern/77273 net [ipf] ipfilter breaks ipv6 statefull filtering on 5.3 s kern/77195 net [ipf] [patch] ipfilter ioctl SIOCGNATL does not match o kern/75873 net Usability problem with non-RFC-compliant IP spoof prot s kern/75407 net [an] an(4): no carrier after short time f kern/73538 net [bge] problem with the Broadcom BCM5788 Gigabit Ethern o kern/71469 net default route to internet magically disappears with mu o kern/70904 net [ipf] ipfilter ipnat problem with h323 proxy support o kern/64556 net [sis] if_sis short cable fix problems with NetGear FA3 s kern/60293 net [patch] FreeBSD arp poison patch o kern/54383 net [nfs] [patch] NFS root configurations without dynamic f i386/45773 net [bge] Softboot causes autoconf failure on Broadcom 570 s bin/41647 net ifconfig(8) doesn't accept lladdr along with inet addr s kern/39937 net ipstealth issue a kern/38554 net [patch] changing interface ipaddress doesn't seem to w o kern/35442 net [sis] [patch] Problem transmitting runts in if_sis dri o kern/34665 net [ipf] [hang] ipfilter rcmd proxy "hangs". o kern/31647 net [libc] socket calls can return undocumented EINVAL o kern/30186 net [libc] getaddrinfo(3) does not handle incorrect servna o kern/27474 net [ipf] [ppp] Interactive use of user PPP and ipfilter c o conf/23063 net [arp] [patch] for static ARP tables in rc.network 306 problems total. From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 15:14:02 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0B2D1065670; Mon, 13 Jul 2009 15:14:02 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B51F78FC1A; Mon, 13 Jul 2009 15:14:02 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6DFE2JD043115; Mon, 13 Jul 2009 15:14:02 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6DFE2Wg043111; Mon, 13 Jul 2009 15:14:02 GMT (envelope-from linimon) Date: Mon, 13 Jul 2009 15:14:02 GMT Message-Id: <200907131514.n6DFE2Wg043111@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/136695: [ip] [patch] fwd reached after skipto in dynamic rules does not work in every case X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 15:14:03 -0000 Old Synopsis: fwd reached after skipto in dynamic rules does not work in every case [PATCH] New Synopsis: [ip] [patch] fwd reached after skipto in dynamic rules does not work in every case Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jul 13 15:13:10 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 15:29:59 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBF4F1065670 for ; Mon, 13 Jul 2009 15:29:59 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 8137D8FC13 for ; Mon, 13 Jul 2009 15:29:59 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: by vwj2 with SMTP id 2so1935237vwj.3 for ; Mon, 13 Jul 2009 08:29:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=4UkhU27/CHXuxGssbTL3uRalgp/p91Iu4JwZq7RLYG8=; b=M8JLjqjZjogxdChtj6xH6Z76sVHMdKfzSnYjVsNV683vh1wCX4KZBcZNha8GjePetI QZPp74AXEUEfOhh4ySs15EUXuAqrKmwH099vB9Ci51mPhgcUtf/fKheEqnuB9y1D6+GX W7v3kzT0vg4F0BNpyNNNnXSTXXLOLrEcEj9KU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=lI1qOuLLsw+fQ80KvJqTw39WJgFaa49plNs4TkzhBcZzh9UbbRQkRCBYHgTyPooDnS BgcTOY9HeCY18UCJcsyxR07p0rfIEW7ARFkKpzGq2vYyIKUOIv4nbDPmTk8SssS/hbiK BDF7q/aXdeUZVdvI5akInm1xCnf4Gib7WLRzg= MIME-Version: 1.0 Received: by 10.220.94.69 with SMTP id y5mr7345284vcm.6.1247497752282; Mon, 13 Jul 2009 08:09:12 -0700 (PDT) Date: Mon, 13 Jul 2009 11:09:11 -0400 Message-ID: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> From: rascal To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 15:30:00 -0000 So I have a couple of questions regarding a scenario that has recently been brought to me. I have two sites, one with a cisco device and one with a server running freebsd 7.2. The client wants to connect the two sites using these devices and I am told that the best way would be to establish an IPSEC tunnel between the cisco device and the freebsd server. The cisco is a concentrator 3000 and the server is just a dell poweredge 860 with 4 nics in the back running 7.2 freebsd. I guess my two questions are: 1. Has anyone done this before and what are their results? 2. Is setting up an IPSEC tunnel the best route for this or is there something else I should be looking at? 3. Any tips/tricks/good sites to check on for setting up IPSEC on freebsd (I am currently reading http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html which is pretty darn good)? Thanks in advance for any help!! --- Matthew From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 17:25:49 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE47C106566B for ; Mon, 13 Jul 2009 17:25:49 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 867C88FC1E for ; Mon, 13 Jul 2009 17:25:49 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1MQPHe-0005K4-8A for freebsd-net@freebsd.org; Mon, 13 Jul 2009 17:25:46 +0000 Received: from mulderlab.f5.com ([205.229.151.151]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 13 Jul 2009 17:25:46 +0000 Received: from atkin901 by mulderlab.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 13 Jul 2009 17:25:46 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Mark Atkinson Followup-To: gmane.os.freebsd.devel.net Date: Mon, 13 Jul 2009 10:25:31 -0700 Lines: 27 Message-ID: References: <2a41acea0905020803s63b69b1awb39538f000f5bd5a@mail.gmail.com> <2a41acea0906261725x57e6903br9f3f42b55f3a3d30@mail.gmail.com> <688430.20427.qm@web37906.mail.mud.yahoo.com> <2a41acea0906280952s23d6553ep42fcfd4671561c3a@mail.gmail.com> <2a41acea0907071722p7992bea0s281399cb0baecd90@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: mulderlab.f5.com User-Agent: KNode/0.99.01 Sender: news Subject: Re: Regression: em driver in -CURRENT, "Invalid MAC address" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 17:25:50 -0000 Jack Vogel wrote: > In case you hadn't seen it, the code that fixes this is now checked into > the tip, so the latest em driver should work for you. I upgraded the machine in question this morning and it appears to be working, thanks! >>> em0: mem >>> 0xdb000000-0xdb01ffff >>> irq 28 at device 4.0 on pci19 >>> em0: Reserved 0x20000 bytes for rid 0x10 type 3 at 0xdb000000 >>> >>> em0: Invalid MAC address >>> device_attach: em0 attach returned 5 >>> em1: mem >>> 0xdb020000-0xdb03ffff >>> irq 29 at device 9.0 on pci19 >>> em1: Reserved 0x20000 bytes for rid 0x10 type 3 at 0xdb020000 >>> >>> em1: Invalid MAC address >>> device_attach: em1 attach returned 5 -- Mark Atkinson atkin901@yahoo.com (!wired)?(coffee++):(wired); From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 20:30:04 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A04B106566B for ; Mon, 13 Jul 2009 20:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 183808FC12 for ; Mon, 13 Jul 2009 20:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6DKU39s083310 for ; Mon, 13 Jul 2009 20:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6DKU3J7083309; Mon, 13 Jul 2009 20:30:03 GMT (envelope-from gnats) Date: Mon, 13 Jul 2009 20:30:03 GMT Message-Id: <200907132030.n6DKU3J7083309@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Joshua Reynolds Cc: Subject: Re: kern/135222: [igb] low speed routing between two igb interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Joshua Reynolds List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 20:30:04 -0000 The following reply was made to PR kern/135222; it has been noted by GNATS. From: Joshua Reynolds To: bug-followup@FreeBSD.org, 1@hnt.ru Cc: Subject: Re: kern/135222: [igb] low speed routing between two igb interfaces Date: Mon, 13 Jul 2009 13:57:20 -0600 --Apple-Mail-35-772384282 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit We had this same problem with our SuperMicro box and have been stumped since switching our interface to igb. Thanks Michael for the work around... I hope they put this in the errata, it certainly would have helped us a great deal. Best regards, Joshua Reynolds President J-Tech Communications jtechcommunications.com 406-586-7100 (ph) 406-586-1584 (fx) 888-586-3000 (tf) --Apple-Mail-35-772384282 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable We had this same problem with = our SuperMicro box and have been stumped since switching our interface = to igb.  Thanks Michael for the work around... I hope they put = this in the errata, it certainly would have helped us a great = deal.


Best regards,
 Joshua ReynoldsPresidentJ-Tech Communications jtechcommunications.com 406-586-7100 (ph)406-586-1584 (fx)888-586-3000 (tf)
 =

= --Apple-Mail-35-772384282-- From owner-freebsd-net@FreeBSD.ORG Mon Jul 13 22:35:09 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C03031065677 for ; Mon, 13 Jul 2009 22:35:09 +0000 (UTC) (envelope-from rahmati@sepehrs.com) Received: from sepehrs.com (www.sepehrs.com [213.217.59.98]) by mx1.freebsd.org (Postfix) with ESMTP id EA6B18FC12 for ; Mon, 13 Jul 2009 22:35:08 +0000 (UTC) (envelope-from rahmati@sepehrs.com) Received: from [127.0.0.1] ([192.168.3.1]) by mail (8.14.3/8.14.3) with ESMTP id n6D7DOYV022837 for ; Mon, 13 Jul 2009 11:43:25 +0430 (IRDT) Message-ID: <4A5AED6D.5090500@sepehrs.com> Date: Mon, 13 Jul 2009 11:46:45 +0330 From: Nasser Rahmati User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: test X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 22:35:10 -0000 Hello -- With the best ragards Nasser Rahmati Sepehr S. T. Co. Ltd. Tel: +9821 88975701 Fax: +9821 88983352 E-mail: rahmati@sepehrs.com Web: http://www.sepehrs.com From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 00:42:17 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1889A1065670; Tue, 14 Jul 2009 00:42:17 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id B39D18FC15; Tue, 14 Jul 2009 00:42:16 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 70BD95C024; Tue, 14 Jul 2009 08:42:15 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 1303C55CD7EA; Tue, 14 Jul 2009 08:42:10 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id VxSAfh-a2-gi; Tue, 14 Jul 2009 08:41:16 +0800 (CST) Received: from charlie.delphij.net (unknown [12.130.152.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 8098A55CD6C3; Tue, 14 Jul 2009 08:41:10 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=oBw4pJ950/1RZB7R0/WuXhmefhA3SUSiNoYzdffQ0+5L4gmbUdiowga6I1Uz70R2x CGcmm8o6WeaxpnRwil7mA== Message-ID: <4A5BD40E.9080108@delphij.net> Date: Mon, 13 Jul 2009 17:40:46 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" Subject: [LOR] carp vs bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 00:42:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, This LOR is observed in an environment with both CARP and bridge set up. Is this an known one? lock order reversal: 1st 0xffffff00033253e0 carp_if (carp_if) @ /usr/src/sys/netinet/ip_carp.c:1326 2nd 0xffffff00031d1218 if_bridge (if_bridge) @ /usr/src/sys/net/if_bridge.c:1850 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2a _witness_debugger() at _witness_debugger+0x2e witness_checkorder() at witness_checkorder+0x81e _mtx_lock_flags() at _mtx_lock_flags+0x78 bridge_output() at bridge_output+0x67 ether_output() at ether_output+0x3d7 ip_output() at ip_output+0xd12 carp_send_ad_locked() at carp_send_ad_locked+0x54b carp_master_down_locked() at carp_master_down_locked+0x79 carp_master_down() at carp_master_down+0x33 softclock() at softclock+0x291 intr_event_execute_handlers() at intr_event_execute_handlers+0x68 ithread_loop() at ithread_loop+0xb2 fork_exit() at fork_exit+0x12a fork_trampoline() at fork_trampoline+0xe - --- trap 0, rip = 0, rsp = 0xffffff8000042d30, rbp = 0 --- Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpb0zcACgkQi+vbBBjt66Ci6wCfT/sMbpkSqbKacc2vHRK5fOpY RugAn1w8iVoWFmz8xGYeJzuYS9yUWwy2 =bTB3 -----END PGP SIGNATURE----- From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 01:09:41 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E84BF106564A for ; Tue, 14 Jul 2009 01:09:41 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-bw0-f208.google.com (mail-bw0-f208.google.com [209.85.218.208]) by mx1.freebsd.org (Postfix) with ESMTP id 65F888FC15 for ; Tue, 14 Jul 2009 01:09:41 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: by bwz4 with SMTP id 4so1077bwz.43 for ; Mon, 13 Jul 2009 18:09:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=iWBDWDrbE7sl0gliduwQUmZSMWWoV1sat5pz0VrSu1Y=; b=rvgXWbbxibDCq0S6N6sNQNEb6ueAYSQWY8kzVcHVneaapS6kWTy5XslDxLAtYkX5vU ytvIhjCKnbMRUd7PftUmZ+w304NS0i71FgVfSC6YB3H15OHFjx4q/YSB3kg98xmtKn05 uxxyJV4/PXzoc5RUiqnzFN0llR+/lLcyN7QFk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=u7XJIOjOWERaW8infnWgkUT7iSKARfUcHMyAttIARIghhE5nL8vyIPtj9pAoaTEMfK eBtZqoo/ARPAnGTHXlOm+SqzTUnmNMkKO4wwpK8TRis12rerczNtAkGXS+DHR8Oi6yeJ K5qYrljwZImYnJf6YfLrynQZOv6qYrI5FMb9k= MIME-Version: 1.0 Received: by 10.204.71.68 with SMTP id g4mr5718599bkj.135.1247532457027; Mon, 13 Jul 2009 17:47:37 -0700 (PDT) In-Reply-To: <4A5BD40E.9080108@delphij.net> References: <4A5BD40E.9080108@delphij.net> Date: Mon, 13 Jul 2009 20:47:37 -0400 Message-ID: <4ad871310907131747g6798c0b9j96a8ce5540f42289@mail.gmail.com> From: Glen Barber To: d@delphij.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: [LOR] carp vs bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 01:09:42 -0000 On Mon, Jul 13, 2009 at 8:40 PM, Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > This LOR is observed in an environment with both CARP and bridge set up. > =A0Is this an known one? > > lock order reversal: > > =A01st 0xffffff00033253e0 carp_if (carp_if) @ > /usr/src/sys/netinet/ip_carp.c:1326 > =A02nd 0xffffff00031d1218 if_bridge (if_bridge) @ > /usr/src/sys/net/if_bridge.c:1850 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2a > _witness_debugger() at _witness_debugger+0x2e > witness_checkorder() at witness_checkorder+0x81e > _mtx_lock_flags() at _mtx_lock_flags+0x78 > bridge_output() at bridge_output+0x67 > ether_output() at ether_output+0x3d7 > ip_output() at ip_output+0xd12 > carp_send_ad_locked() at carp_send_ad_locked+0x54b > carp_master_down_locked() at carp_master_down_locked+0x79 > carp_master_down() at carp_master_down+0x33 > softclock() at softclock+0x291 > intr_event_execute_handlers() at intr_event_execute_handlers+0x68 > ithread_loop() at ithread_loop+0xb2 > fork_exit() at fork_exit+0x12a > fork_trampoline() at fork_trampoline+0xe > - --- trap 0, rip =3D 0, rsp =3D 0xffffff8000042d30, rbp =3D 0 --- > I didn't see that particular LOR listed with the others: http://sources.zabbadoz.net/freebsd/lor.html Regards, --=20 Glen Barber From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 07:25:17 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9666D106566C; Tue, 14 Jul 2009 07:25:17 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6B29D8FC1A; Tue, 14 Jul 2009 07:25:17 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from freefall.freebsd.org (mav@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6E7PHq3010988; Tue, 14 Jul 2009 07:25:17 GMT (envelope-from mav@freefall.freebsd.org) Received: (from mav@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6E7PGLa010984; Tue, 14 Jul 2009 07:25:16 GMT (envelope-from mav) Date: Tue, 14 Jul 2009 07:25:16 GMT Message-Id: <200907140725.n6E7PGLa010984@freefall.freebsd.org> To: vlad@prokk.net, mav@FreeBSD.org, freebsd-net@FreeBSD.org From: mav@FreeBSD.org Cc: Subject: Re: kern/132984: [netgraph] swi1: net 100% cpu usage X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 07:25:17 -0000 Synopsis: [netgraph] swi1: net 100% cpu usage State-Changed-From-To: open->closed State-Changed-By: mav State-Changed-When: Tue Jul 14 07:23:12 UTC 2009 State-Changed-Why: This is probably duplicate of solved kern/134557. Fix committed to 8-CURRENT and merged to 7-STABLE on 2009-07-04. http://www.freebsd.org/cgi/query-pr.cgi?pr=132984 From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 07:40:45 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FEC4106566C for ; Tue, 14 Jul 2009 07:40:45 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (unknown [IPv6:2607:f678:1010::34]) by mx1.freebsd.org (Postfix) with ESMTP id 68FEF8FC22 for ; Tue, 14 Jul 2009 07:40:45 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id n6E7eiNP011901 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 14 Jul 2009 00:40:44 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.12.9/Submit) with UUCP id n6E7eiqV011900; Tue, 14 Jul 2009 00:40:44 -0700 (PDT) Received: from fbsd61 by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA15807; Tue, 14 Jul 09 00:32:55 PDT Date: Tue, 14 Jul 2009 00:30:23 -0700 From: perryh@pluto.rain.com To: rascal1981@gmail.com Message-Id: <4a5c340f.kgJItzxBrh6/yWqR%perryh@pluto.rain.com> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> In-Reply-To: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 07:40:45 -0000 rascal wrote: > ... I have two sites, one with a cisco device and one with a > server running freebsd 7.2. The client wants to connect the two > sites using these devices and I am told that the best way would > be to establish an IPSEC tunnel between the cisco device and the > freebsd server. The cisco is a concentrator 3000 and the server > is just a dell poweredge 860 with 4 nics in the back running 7.2 > freebsd. I guess my two questions are: > > 1. Has anyone done this before and what are their results? > 2. Is setting up an IPSEC tunnel the best route for > this or is there something else I should be looking at? > 3. Any tips/tricks/good sites to check on for > setting up IPSEC on freebsd (I am currently reading > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > which is pretty darn good)? I am no expert, just a user: my employer uses Cisco VPN for remote access. Last I knew Cisco had VPN clients available for Windows and for (some version of) Linux. There's no official FreeBSD client AFAIK, but ports/security/vpnc seems to work well for the purpose. I have no idea how the Cisco end is set up, but have gotten the impression that it may involve some sort of Cisco proprietary extensions to IPSEC. From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 08:12:46 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC38C106564A; Tue, 14 Jul 2009 08:12:46 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A115B8FC12; Tue, 14 Jul 2009 08:12:46 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (bz@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6E8Cka8076054; Tue, 14 Jul 2009 08:12:46 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6E8CkPX076050; Tue, 14 Jul 2009 08:12:46 GMT (envelope-from bz) Date: Tue, 14 Jul 2009 08:12:46 GMT Message-Id: <200907140812.n6E8CkPX076050@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/136695: [ipfw] [patch] fwd reached after skipto in dynamic rules does not work in every case X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 08:12:47 -0000 Old Synopsis: [ip] [patch] fwd reached after skipto in dynamic rules does not work in every case New Synopsis: [ipfw] [patch] fwd reached after skipto in dynamic rules does not work in every case Responsible-Changed-From-To: freebsd-net->freebsd-ipfw Responsible-Changed-By: bz Responsible-Changed-When: Tue Jul 14 08:12:22 UTC 2009 Responsible-Changed-Why: Re-assign to the right list. http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 13:56:03 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C06F21065675 for ; Tue, 14 Jul 2009 13:56:03 +0000 (UTC) (envelope-from john@traktor.dnepro.net) Received: from traktor.dnepro.net (roof1.dnepro.net [212.3.111.66]) by mx1.freebsd.org (Postfix) with ESMTP id 3AA648FC1D for ; Tue, 14 Jul 2009 13:56:02 +0000 (UTC) (envelope-from john@traktor.dnepro.net) Received: from traktor.dnepro.net (localhost [127.0.0.1]) by traktor.dnepro.net (8.14.3/8.14.3) with ESMTP id n6EDfVgA030207 for ; Tue, 14 Jul 2009 16:41:31 +0300 (EEST) (envelope-from john@traktor.dnepro.net) Received: (from john@localhost) by traktor.dnepro.net (8.14.3/8.14.3/Submit) id n6EDfV4D030206 for freebsd-net@freebsd.org; Tue, 14 Jul 2009 16:41:31 +0300 (EEST) (envelope-from john) Date: Tue, 14 Jul 2009 16:41:31 +0300 From: Eugene Perevyazko To: freebsd-net@freebsd.org Message-ID: <20090714134131.GA23925@traktor.dnepro.net> Mail-Followup-To: freebsd-net@freebsd.org References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> User-Agent: Mutt/1.4.2.3i Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 13:56:04 -0000 On Mon, Jul 13, 2009 at 11:09:11AM -0400, rascal wrote: > So I have a couple of questions regarding a scenario that has recently been > brought to me. I have two sites, one with a cisco device and one with a > server running freebsd 7.2. The client wants to connect the two sites using > these devices and I am told that the best way would be to establish an IPSEC > tunnel between the cisco device and the freebsd server. The cisco is a > concentrator 3000 and the server is just a dell poweredge 860 with 4 nics in > the back running 7.2 freebsd. I guess my two questions are: > > 1. Has anyone done this before and what are their results? I'm using several IPSec tunnels between cisco 851's and freebsd routers. It "just works". > 2. Is setting up an IPSEC tunnel the best route for this or is there > something else I should be looking at? IPSec is the standard for tunnels over internet. Cisco VPN requires their proprietary client, OpenVPN is not for ciscos. > 3. Any tips/tricks/good sites to check on for setting up IPSEC on freebsd > (I am currently reading > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html which > is pretty darn good)? I use IPSec tunnels without gif interface on freebsd, don't know if it will work with it. I declare policy in /etc/ipsec.conf, and use racoon (ports/security/ipsec-tools) to do all the rest. It's pretty simple on cisco side too. Just say if you need an example. -- Eugene Perevyazko From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 14:14:09 2009 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C83E1065672 for ; Tue, 14 Jul 2009 14:14:09 +0000 (UTC) (envelope-from kfl@xiplink.com) Received: from smtp111.dfw.emailsrvr.com (smtp111.dfw.emailsrvr.com [67.192.241.111]) by mx1.freebsd.org (Postfix) with ESMTP id 7C0308FC13 for ; Tue, 14 Jul 2009 14:14:09 +0000 (UTC) (envelope-from kfl@xiplink.com) Received: from relay1.relay.dfw.mlsrvr.com (localhost [127.0.0.1]) by relay1.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 7DD6C1278316; Tue, 14 Jul 2009 09:58:38 -0400 (EDT) Received: by relay1.relay.dfw.mlsrvr.com (Authenticated sender: kfodil-lemelin-AT-xiplink.com) with ESMTPSA id 545F51278362; Tue, 14 Jul 2009 09:58:38 -0400 (EDT) Message-ID: <4A5C8F17.8030008@xiplink.com> Date: Tue, 14 Jul 2009 09:58:47 -0400 From: Karim Fodil-Lemelin User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: Pyun YongHyeon References: <200907080510.n685A5o7048654@freefall.freebsd.org> In-Reply-To: <200907080510.n685A5o7048654@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@FreeBSD.org Subject: Re: kern/124127: [msk] watchdog timeout (missed Tx interrupts) -- recovering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 14:14:10 -0000 Hello, We have seen the problem reappear on msk driver (after the applying the latest patch in gnats). The patch did improve things tremendously but now the watchdog will timeout after 7 or 8 hours of flawless activity (before the patch it would happen right away on the first transfer). Using the legacy interrupt sysctl (on top of the patched kernel atm) is giving us better result, haven't seen a failure in days now. Regards, Karim. From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 16:18:20 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF4641065670 for ; Tue, 14 Jul 2009 16:18:20 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 83B818FC1E for ; Tue, 14 Jul 2009 16:18:20 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: by vwj2 with SMTP id 2so2609401vwj.3 for ; Tue, 14 Jul 2009 09:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=XH3uALdAHlx/A39LPm1HXS/fUIrid7nPcR6x5cWwL0M=; b=J7cqOg/E45/IWshWxU+8joGkinvLBq9s6m0QuSEF3TDDgpmCZpfJn2aY1/u98I+Iv2 4GzzNGZZxu3ly3+ExhddlMtTrgZ/4S9H9JpRGUJn5POPromje7vLMJyTIr6RaCz+Q+u1 8KwX4cec4IysAxFxWO39s237urebEH8loqWU0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=mm/Mp+nWlUCjswdVqcCySHkWVFxncqrI/caJ53TmPmrlM1aWxT+TIGV/csx/mj9cAI ZNZlKgku9olYJLSpa/CLAj9QZk6WIg5JeWGN5XzhPrd7++mbk+irAP+rB7yEScg2X6nv 5fZ9cMBt4aKcDwuq9HlO/Tb+nm5Dmvq7JcvFE= MIME-Version: 1.0 Received: by 10.220.75.141 with SMTP id y13mr9313204vcj.84.1247588299824; Tue, 14 Jul 2009 09:18:19 -0700 (PDT) In-Reply-To: <20090714134131.GA23925@traktor.dnepro.net> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> Date: Tue, 14 Jul 2009 12:18:19 -0400 Message-ID: <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> From: rascal To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 16:18:21 -0000 Thanks for the input on this everyone! Eugene, I'll take you up on your offer of examples! I have a good idea of how to do this, I just want to make sure I get it right and if I have some examples to compare to that would be great! Thanks much! On Tue, Jul 14, 2009 at 9:41 AM, Eugene Perevyazko wrote: > On Mon, Jul 13, 2009 at 11:09:11AM -0400, rascal wrote: > > So I have a couple of questions regarding a scenario that has recently > been > > brought to me. I have two sites, one with a cisco device and one with a > > server running freebsd 7.2. The client wants to connect the two sites > using > > these devices and I am told that the best way would be to establish an > IPSEC > > tunnel between the cisco device and the freebsd server. The cisco is a > > concentrator 3000 and the server is just a dell poweredge 860 with 4 nics > in > > the back running 7.2 freebsd. I guess my two questions are: > > > > 1. Has anyone done this before and what are their results? > > I'm using several IPSec tunnels between cisco 851's and freebsd routers. > It "just works". > > > 2. Is setting up an IPSEC tunnel the best route for this or is there > > something else I should be looking at? > IPSec is the standard for tunnels over internet. Cisco VPN requires their > proprietary client, OpenVPN is not for ciscos. > > > 3. Any tips/tricks/good sites to check on for setting up IPSEC on > freebsd > > (I am currently reading > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.htmlwhich > > is pretty darn good)? > I use IPSec tunnels without gif interface on freebsd, don't know if it will > work with it. I declare policy in /etc/ipsec.conf, and use racoon > (ports/security/ipsec-tools) to do all the rest. It's pretty simple on cisco > side too. Just say if you need an example. > > -- > Eugene Perevyazko > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Tue Jul 14 17:20:05 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4AB81065676 for ; Tue, 14 Jul 2009 17:20:05 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 8B2338FC1D for ; Tue, 14 Jul 2009 17:20:05 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1MQlfe-0007Xr-DR for freebsd-net@freebsd.org; Tue, 14 Jul 2009 17:20:02 +0000 Received: from 93-138-106-186.adsl.net.t-com.hr ([93.138.106.186]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 14 Jul 2009 17:20:02 +0000 Received: from ivoras by 93-138-106-186.adsl.net.t-com.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 14 Jul 2009 17:20:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Ivan Voras Date: Tue, 14 Jul 2009 19:16:51 +0200 Lines: 33 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigD6F98C903E31CF43EB1A89FA" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 93-138-106-186.adsl.net.t-com.hr User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) In-Reply-To: X-Enigmail-Version: 0.95.7 Sender: news Subject: Re: HEADS UP: projects/mesh11s committed to HEAD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 17:20:06 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD6F98C903E31CF43EB1A89FA Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Rui Paulo wrote: > Hi, > Just a heads up to note that 802.11s D3.0 support has been committed to= > HEAD. If you notice any wireless related problems, please inform me ASA= P. Hi, Any short tutorials on how to use it? For example with a couple of laptop= s? --------------enigD6F98C903E31CF43EB1A89FA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpcvYMACgkQldnAQVacBcjKeACfTKmmCKIcQn9xMvxGLOfvGZr0 2ZAAnjhBExMnJhMkJBw6LhwGIRItxK/S =LXd8 -----END PGP SIGNATURE----- --------------enigD6F98C903E31CF43EB1A89FA-- From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 00:39:49 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C46CA106564A for ; Wed, 15 Jul 2009 00:39:49 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 6ECD98FC1E for ; Wed, 15 Jul 2009 00:39:49 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw02.corp.verio.net (iad-wprd-xchw02.corp.verio.net [198.87.7.165]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 4A1D4B038292; Tue, 14 Jul 2009 20:15:17 -0400 (EDT) thread-index: AcoE4VR25XcUZaegR/CC0X6ygZATDA== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.64]) by iad-wprd-xchw02.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Jul 2009 20:15:15 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Tue, 14 Jul 2009 19:15:15 +0000 Date: Tue, 14 Jul 2009 19:15:14 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "rascal" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Message-ID: <20090715001514.GU6896@verio.net> Mail-Followup-To: rascal , freebsd-net@freebsd.org References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 15 Jul 2009 00:15:15.0309 (UTC) FILETIME=[53C591D0:01CA04E1] Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 00:39:50 -0000 rascal wrote: > > Thanks for the input on this everyone! Eugene, I'll take you up on > your offer of examples! I have a good idea of how to do this, I > just want to make sure I get it right and if I have some examples to > compare to that would be great! Thanks much! Here is an example IPSEC config that we use, that interoperates with Cisco, Checkpoint, and probably other standard IPSEC implementations. We're using PF for firewalling. Example config: Here: 11.22.33.44 (FreeBSD machine) Networks behind: 10.10.30.40/24 10.10.30.50/24 There: 55.66.77.88 (Some other IPSEC) Networks behind: 10.20.50.60/24 10.20.50.70/24 Parameters: IKE: Phase 1: Pre-shared Secret AES + SHA1 DH Group 2 Lifetime 24 hours Phase 2: One SPI per subnet pair No PFS Lifetime 1 hour ESP: AES + SHA1 Kernel build options: options IPSEC options IPSEC_ESP options IPSEC_DEBUG /etc/rc.conf: gateway_enable="YES" pf_enable="YES" pf_rules="/usr/local/etc/pf.conf" racoon_enable="YES" ipsec_enable="YES" ipsec_file="/usr/local/etc/ipsec.conf" Partial /usr/local/etc/pf.conf: EXT="dc0" # Interface for external traffic EXTIP="(dc0)" # External virtual IP table file "/usr/local/etc/ipsec.peers" pass in log quick on $EXT proto udp from to $EXTIP port 500 keep state pass in quick on $EXT proto esp from to $EXTIP keep state /usr/local/etc/ipsec.peers: 55.66.77.88 /usr/local/etc/ipsec.conf: spdflush; spdadd 10.20.50.60/24 10.10.30.40/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.40/24 10.20.50.60/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.60/24 10.10.30.50/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.50/24 10.20.50.60/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.70/24 10.10.30.40/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.40/24 10.20.50.70/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; spdadd 10.20.50.70/24 10.10.30.50/24 any \ -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; spdadd 10.10.30.50/24 10.20.50.70/24 any \ -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; /usr/local/etc/racoon/racoon.conf: log debug; # notify(*), debug, debug2 path pre_shared_key "/usr/local/etc/ipsec.keys"; path pidfile "/var/run/racoon.pid"; listen { isakmp 11.22.33.44; strict_address; # Needed? } remote 55.66.77.88 { exchange_mode aggressive,main,base; my_identifier address 11.22.33.44; peers_identifier address 55.66.77.88; verify_identifier off; proposal_check claim; # obey, strict, claim(*), exact(*) proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 24 hours; } } sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } /usr/local/etc/ipsec.keys: (chmod 600!) # Keys for IPSEC # Remote IP, shared key 55.66.77.88 SecretKey!! The main difficulty is making sure you've got every different direction of source and destination subnet cross-referenced in your SPD config and the exact same entries configured in your racoon config. In our setup, we auto-generate these files from a master config file, but regretably I cannot release the code for this... Anyway, I hope this gives you some idea how to setup IPSEC. Debugging is of course the next step. Never assume that your peer has configured everything right. :) Make sure your ipsec.keys file is not readable by anyone but root, or raccoon will silently ignore it. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 01:43:59 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E676106566B for ; Wed, 15 Jul 2009 01:43:59 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 0BA8B8FC08 for ; Wed, 15 Jul 2009 01:43:58 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: by vwj2 with SMTP id 2so2896210vwj.3 for ; Tue, 14 Jul 2009 18:43:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=WjmXg9ufcndkFq4yEMqTbuh2zGOnJaB16sURVe/Jzwo=; b=iS9u8hYa9N3pl5+o7c7pRsZMjTA6XqrXLkPvMdti6XKDQ0yljUxZGcozYjnbmBCnxh Rzyi/iyYAammfTF67Q4jxzFjRHq+9z7UqdIYNqMeW7rfSJa6X7UfOn8PwtKSWop1hmco GL24KpxzDQBpVFtVCW6vZ4DqH6tL6+VzQhCV8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=mCB8KK0hgDsjqN3adnnXg7nN8fcnsCqDVhbk/RFZ5Ykp3WryVYPZ1OEIxaUEE1NAQN RJN3mrdu3rXqUZkGSUy3x+JX1uUJqBd8/KGyC2IwWnz/l9rW7zlnoj0puwHeNwEn/zRF MbYBsh2CH3mJL4DcpoiYRNg3ZCpEgKi7fAlb0= MIME-Version: 1.0 Received: by 10.220.45.80 with SMTP id d16mr10052477vcf.93.1247622236499; Tue, 14 Jul 2009 18:43:56 -0700 (PDT) In-Reply-To: <20090715001514.GU6896@verio.net> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net> Date: Tue, 14 Jul 2009 21:43:56 -0400 Message-ID: <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> From: rascal To: rascal , freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 01:43:59 -0000 Thanks very much David, I really appreciate it! I have the racoon2 package; does this make a big difference or do these configs work close to the same? On Tue, Jul 14, 2009 at 8:15 PM, David DeSimone wrote: > rascal wrote: > > > > Thanks for the input on this everyone! Eugene, I'll take you up on > > your offer of examples! I have a good idea of how to do this, I > > just want to make sure I get it right and if I have some examples to > > compare to that would be great! Thanks much! > > Here is an example IPSEC config that we use, that interoperates with > Cisco, Checkpoint, and probably other standard IPSEC implementations. > > We're using PF for firewalling. > > Example config: > > Here: 11.22.33.44 (FreeBSD machine) > > Networks behind: > 10.10.30.40/24 > 10.10.30.50/24 > > There: 55.66.77.88 (Some other IPSEC) > > Networks behind: > 10.20.50.60/24 > 10.20.50.70/24 > > Parameters: > IKE: > Phase 1: > Pre-shared Secret > AES + SHA1 > DH Group 2 > Lifetime 24 hours > Phase 2: > One SPI per subnet pair > No PFS > Lifetime 1 hour > ESP: > AES + SHA1 > > Kernel build options: > > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > > /etc/rc.conf: > > gateway_enable="YES" > > pf_enable="YES" > pf_rules="/usr/local/etc/pf.conf" > > racoon_enable="YES" > ipsec_enable="YES" > ipsec_file="/usr/local/etc/ipsec.conf" > > Partial /usr/local/etc/pf.conf: > > EXT="dc0" # Interface for external traffic > EXTIP="(dc0)" # External virtual IP > > table file "/usr/local/etc/ipsec.peers" > > pass in log quick on $EXT proto udp from to $EXTIP port > 500 keep state > pass in quick on $EXT proto esp from to $EXTIP > keep state > > /usr/local/etc/ipsec.peers: > > 55.66.77.88 > > /usr/local/etc/ipsec.conf: > > spdflush; > > spdadd 10.20.50.60/24 10.10.30.40/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.40/24 10.20.50.60/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.60/24 10.10.30.50/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.50/24 10.20.50.60/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.70/24 10.10.30.40/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.40/24 10.20.50.70/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > spdadd 10.20.50.70/24 10.10.30.50/24 any \ > -P in ipsec esp/tunnel/55.66.77.88-11.22.33.44/unique; > spdadd 10.10.30.50/24 10.20.50.70/24 any \ > -P out ipsec esp/tunnel/11.22.33.44-55.66.77.88/unique; > > /usr/local/etc/racoon/racoon.conf: > > log debug; # notify(*), debug, debug2 > > path pre_shared_key "/usr/local/etc/ipsec.keys"; > path pidfile "/var/run/racoon.pid"; > > listen > { > isakmp 11.22.33.44; > strict_address; # Needed? > } > > remote 55.66.77.88 > { > exchange_mode aggressive,main,base; > > my_identifier address 11.22.33.44; > peers_identifier address 55.66.77.88; > > verify_identifier off; > > proposal_check claim; # obey, strict, claim(*), exact(*) > > proposal > { > encryption_algorithm aes; > hash_algorithm sha1; > authentication_method pre_shared_key; > dh_group 2; > lifetime time 24 hours; > } > } > > > sainfo address 10.20.50.60/24 any address 10.10.30.40/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.40/24 any address 10.20.50.60/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.60/24 any address 10.10.30.50/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.50/24 any address 10.20.50.60/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.70/24 any address 10.10.30.40/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.40/24 any address 10.20.50.70/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.20.50.70/24 any address 10.10.30.50/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > sainfo address 10.10.30.50/24 any address 10.20.50.70/24 any > { > lifetime time 1 hour; > > encryption_algorithm aes; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > > /usr/local/etc/ipsec.keys: (chmod 600!) > > # Keys for IPSEC > # Remote IP, shared key > > 55.66.77.88 SecretKey!! > > > The main difficulty is making sure you've got every different direction > of source and destination subnet cross-referenced in your SPD config and > the exact same entries configured in your racoon config. > > In our setup, we auto-generate these files from a master config file, > but regretably I cannot release the code for this... > > > Anyway, I hope this gives you some idea how to setup IPSEC. Debugging > is of course the next step. Never assume that your peer has configured > everything right. :) > > Make sure your ipsec.keys file is not readable by anyone but root, or > raccoon will silently ignore it. > > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately by > return e-mail and permanently delete this message and any attachments. > Verio, Inc. makes no warranty that this email is error or virus free. Thank > you. > From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 02:12:55 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32CA7106566C for ; Wed, 15 Jul 2009 02:12:55 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id F1AF08FC16 for ; Wed, 15 Jul 2009 02:12:54 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw02.corp.verio.net (unknown [198.87.7.165]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 1E0DCB038300; Tue, 14 Jul 2009 22:12:54 -0400 (EDT) thread-index: AcoE8cLheEQ+wauSTky5Cgpb+o1CtA== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.64]) by iad-wprd-xchw02.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Jul 2009 22:12:52 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Tue, 14 Jul 2009 21:12:51 +0000 Date: Tue, 14 Jul 2009 21:12:51 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "rascal" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Message-ID: <20090715021251.GV6896@verio.net> Mail-Followup-To: rascal , freebsd-net@freebsd.org References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net> <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 15 Jul 2009 02:12:52.0590 (UTC) FILETIME=[C23D30E0:01CA04F1] Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 02:12:55 -0000 rascal wrote: > > I have the racoon2 package; does this make a big difference or do > these configs work close to the same? I did not have any luck using racoon2 because apparently it does not interoperate well with older IPSEC implementations. At least, it did not a couple of years ago when I set up my IPSEC. What you probably want is the security/ipsec-tools port, which contains the original racoon IKE daemon. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 03:01:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1186106564A for ; Wed, 15 Jul 2009 03:01:57 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: from mail-vw0-f172.google.com (mail-vw0-f172.google.com [209.85.212.172]) by mx1.freebsd.org (Postfix) with ESMTP id 8FD5D8FC15 for ; Wed, 15 Jul 2009 03:01:57 +0000 (UTC) (envelope-from rascal1981@gmail.com) Received: by vwj2 with SMTP id 2so2924082vwj.3 for ; Tue, 14 Jul 2009 20:01:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=GZMa70NCowJG5cOqAYWzHANigE1kT/K0DSw+D7jayKg=; b=G+yNPJX4Mu/4+CyD0HI0hBvPWprnt8uc2cFWUo924G9YTBI2MlgMxfjCAHPV8TJTmZ cBej79FPJYuuFxfClo84tqD0Hr7DlTnKI92tmrZxaPoQHSMUgYzzEYq2Dkm4nJTaCGsa rizQ9RVE4gCgebRFKPP27Q/MyUeeUUG1VE+XY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=GpOfmUtNCSVHEy8Ta70HFKAH+CM9xCdceGq6FPDJ24rk1x34BByvGTH67vtmihOGJm WojRSsL36fUVsM3SkvRsMlsb5xS7jL6QfU5nugwunthv1CkIus1a/DGFSK4Ecy9ZgKzI 9DKyevSJrBx4kuZ4dAT6isLZIVfHAPARAp0HQ= MIME-Version: 1.0 Received: by 10.220.96.67 with SMTP id g3mr10026412vcn.63.1247626916744; Tue, 14 Jul 2009 20:01:56 -0700 (PDT) In-Reply-To: <20090715021251.GV6896@verio.net> References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net> <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> <20090715021251.GV6896@verio.net> Date: Tue, 14 Jul 2009 23:01:56 -0400 Message-ID: <3228ef7c0907142001y650892b3w696576647086ba38@mail.gmail.com> From: rascal To: rascal , freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 03:01:58 -0000 very good then, I'll have to uninstall racoon2/install the ipsectools. I must have missed when I installed ipsectools but no worries. If I could ask one more favor; what does your cisco config look like that would match one of these? I have got mine configed based on someone else's tunnel specs and while I am sure they are comparable I wanted to make sure I wasn't missing anything. I was trying to go off of this: http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2002-09/11533.html But it's a little outdated and wanted to make sure I was doing it correctly. It sounds like I am on the right path for this, just a few more pieces to go! Thanks very much again for the help! On Tue, Jul 14, 2009 at 10:12 PM, David DeSimone wrote: > rascal wrote: > > > > I have the racoon2 package; does this make a big difference or do > > these configs work close to the same? > > I did not have any luck using racoon2 because apparently it does not > interoperate well with older IPSEC implementations. At least, it did > not a couple of years ago when I set up my IPSEC. > > What you probably want is the security/ipsec-tools port, which contains > the original racoon IKE daemon. > > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately by > return e-mail and permanently delete this message and any attachments. > Verio, Inc. makes no warranty that this email is error or virus free. Thank > you. > From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 07:59:25 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78D05106566B for ; Wed, 15 Jul 2009 07:59:25 +0000 (UTC) (envelope-from onemda@gmail.com) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id 0334B8FC08 for ; Wed, 15 Jul 2009 07:59:24 +0000 (UTC) (envelope-from onemda@gmail.com) Received: by fxm24 with SMTP id 24so2922640fxm.43 for ; Wed, 15 Jul 2009 00:59:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JwA1B4c8wGVPETtux1NjFmquwJgPMumogcqECLUdk6Q=; b=ODJco3uTD6BGPcU00SKQeYMhmcQ9eReljz0Y5faIq/eS2kZX96gXR7AR7NXD9LOATQ F8ghrm5K93j7yXmEv+uSevj6+2eE+LHp8jV5QEk86RZnh5JGBBxbg8otNtltSsD4663M eBUFVIkTiGmy0Af+w9igxBMu3Qk+9RJ8XfcM0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Ff0Q+jhvPfwdKi+6wkgKWf5fn1HLAO8yCPbH3+rZx5N3o3v28Zfn2lBtfrTFgP4ggt C+wDey/DnR7/cBMTF38eSEfcy1hfSKXVAtSRgh2mBO/EeDxmn39veJtMvGOofApTv6Ye NJD6XnPf/4oMPvOjzedaF1QZLRtpP1mas3RxY= MIME-Version: 1.0 Received: by 10.204.78.131 with SMTP id l3mr7281238bkk.186.1247642845026; Wed, 15 Jul 2009 00:27:25 -0700 (PDT) In-Reply-To: <3a142e750907040333o3938c06y6369af6fa6976812@mail.gmail.com> References: <3a142e750906080809i381c4e6amd93da8a135ab9bd3@mail.gmail.com> <4A2D2EB1.3040702@errno.com> <1244477453.7794.2.camel@localhost> <3a142e750906081006v6369051dw75c5077e6032101f@mail.gmail.com> <1244656248.1701.53.camel@localhost> <3a142e750906101108v588e33dfsb0cb81f024c65cfb@mail.gmail.com> <1244658479.1701.56.camel@localhost> <3a142e750906101805re85136cif71eeeda2c641451@mail.gmail.com> <1245323702.1754.0.camel@localhost> <3a142e750907040333o3938c06y6369af6fa6976812@mail.gmail.com> Date: Wed, 15 Jul 2009 09:27:23 +0200 Message-ID: <3a142e750907150027t106edef5m767dd0319f83bd63@mail.gmail.com> From: "Paul B. Mahol" To: current@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: net@freebsd.org Subject: Re: ndis lor: hal preemption lock X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 07:59:25 -0000 On 7/4/09, Paul B. Mahol wrote: > On 6/18/09, Coleman Kane wrote: >> I've committed this one as r194432. > > Ah, that one introduced regression. > Switching ndisX up before creating vap will cause panic. > Here is fix: > > --- /sys/dev/if_ndis/if_ndis.c 2009-06-28 09:15:54.000000000 +0000 > +++ if_ndis.c 2009-07-04 10:23:41.000000000 +0000 > @@ -2292,6 +2292,8 @@ > ifp = sc->ifp; > ic = ifp->if_l2com; > vap = TAILQ_FIRST(&ic->ic_vaps); > + if (vap == NULL) > + return; > > if (!NDIS_INITIALIZED(sc)) { > DPRINTF(("%s: NDIS not initialized\n", __func__)); Bump! Please commit. -- Paul From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 08:07:28 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B07201065670; Wed, 15 Jul 2009 08:07:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 235DB8FC21; Wed, 15 Jul 2009 08:07:28 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id C36ED5C024; Wed, 15 Jul 2009 16:07:26 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 8BB4555CD816; Wed, 15 Jul 2009 16:07:26 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id qPfPZeVjOrPr; Wed, 15 Jul 2009 16:06:33 +0800 (CST) Received: from charlie.delphij.net (c-67-188-2-183.hsd1.ca.comcast.net [67.188.2.183]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 701F755CD7F5; Wed, 15 Jul 2009 16:06:26 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=Ad4du1AWWyelHx/nx1jvhlE+MvJ8RA021+zjc7Wfud7LPJDpVEj6bZFnAQxge7wtp oQorrEgKTtcn8SEJ0+lHA== Message-ID: <4A5D8DF0.4010708@delphij.net> Date: Wed, 15 Jul 2009 01:06:08 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090701) MIME-Version: 1.0 To: Glen Barber References: <4A5BD40E.9080108@delphij.net> <4ad871310907131747g6798c0b9j96a8ce5540f42289@mail.gmail.com> In-Reply-To: <4ad871310907131747g6798c0b9j96a8ce5540f42289@mail.gmail.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------080001040707000106080403" Cc: freebsd-net@freebsd.org, glebius@FreeBSD.org, d@delphij.net Subject: Re: [LOR] carp vs bridge X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 08:07:29 -0000 This is a multi-part message in MIME format. --------------080001040707000106080403 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is a brute-force workaround for the issue, basically this would convert the hard deadlock into another problem (no multicast/broadcast being done on bridge, if CARP is enabled). It's good enough for my usage but is of course far from ideal. As I am not sure how much I could step further on a real fix due to $REALJOB, I'd like to share some further analysis for the problem. Basically, it was caused by CARP's use of locking and bridge's locking, the former would acquire CARP interface's mutex, while holding the mutex, it tries to indirectly call ether_output which, in turn, calls bridge_output if the CARP enabled interface is also part of a bridge. Since the bridge_output wants to acquire lock for the bridge's member interface, which is potentially parent for CARP interface, the order constraint is violated and thus a deadlock could happen. I think there is no obvious clean solution to break the dependency without weakening the realtimeness of sending the required multicast at this point. Will think again about it when I got some spare time. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpdjfAACgkQi+vbBBjt66BxsACgggT8vhXo62V7Sh+2uAA0re2c dmEAnix+ax16obT2+neW7Iw0/P12cBVp =IM/r -----END PGP SIGNATURE----- --------------080001040707000106080403 Content-Type: text/plain; name="carp_bridge.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="carp_bridge.diff" Index: if_ethersubr.c =================================================================== --- if_ethersubr.c (revision 195705) +++ if_ethersubr.c (working copy) @@ -394,8 +394,18 @@ * Bridges require special output handling. */ if (ifp->if_bridge) { +#if defined(INET) || defined(INET6) +#ifdef DEV_CARP + if ((m->m_flags & ~(M_MCAST | M_BCAST)) == m->m_flags) { +#endif +#endif BRIDGE_OUTPUT(ifp, m, error); return (error); +#if defined(INET) || defined(INET6) +#ifdef DEV_CARP + } +#endif +#endif } #if defined(INET) || defined(INET6) --------------080001040707000106080403-- From owner-freebsd-net@FreeBSD.ORG Wed Jul 15 16:29:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEA36106564A for ; Wed, 15 Jul 2009 16:29:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 823E48FC17 for ; Wed, 15 Jul 2009 16:29:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from [217.150.130.134] (helo=unknown) by marvin.harmless.hu with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MR7AJ-0000xG-8h for freebsd-net@freebsd.org; Wed, 15 Jul 2009 18:17:07 +0200 Date: Wed, 15 Jul 2009 18:17:03 +0200 From: Gergely CZUCZY To: freebsd-net@freebsd.org Message-ID: <20090715181703.00006c68@unknown> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: IPsec tunnel help X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 16:29:58 -0000 Hello, I'd like to ask for a bit of a help. I'd like to set up an IPSec VPN between two hosts, and I'm facing an issue I can't solve myself. The setup is the following: It's a site-to-host VPN, from A to B. At A side there's the fbsd gateway, it's a 7.2 box, everything is built into the kernel, and ipsec-tools is up and running. I've got a /24 range here. Site B is a Zywall 2 Plus device. A: pub: 217.150.138.138, local: 192.168.0.0/24 B: pub: 217.150.130.163, local box: 192.168.1.64/32 C: 192.168.0.248 Phase 1 and 2 are completed. I'm trying to ping a box from the B site behind the fbsd box, let's call it C. The icmp-echo-request reaches C, reply is generated. The icmp-echo-reply appears on the local interface of the fbsd box, but at that point it's lost I can't find a trace of it. It's not on the gif0 IF and neither there are any outgoing ESP packets on the public interface. Configs: --- rc.conf -- # IPSec VPN ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" ipsec_program="/usr/local/sbin/setkey" racoon_enable="YES" racoon_flags="-d -l /var/log/racoon.log" --- rc.conf --- (i've put up the gif0 by hand) gif0: gif0: flags=8051 metric 0 mtu 1280 tunnel inet 217.150.138.138 --> 217.150.130.163 inet 192.168.0.0 --> 192.168.1.64 netmask 0xffffffff (I've also tried with 192.168.0.251->192.168.1.64/32, no luck, same results) --- ipsec.conf --- spdflush; spdadd 192.168.1.64/32 192.168.0.0/24 any -P in ipsec esp/tunnel/217.150.130.163-217.150.138.138/unique; spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec esp/tunnel/217.150.138.138-217.150.130.163/unique; --- ipsec.conf --- --- racoon.conf --- log debug; path pre_shared_key "/usr/local/etc/ipsec.keys"; path pidfile "/var/run/racoon.pid"; listen { isakmp 217.150.138.138; adminsock "/var/db/racoon/racoon.sock"; } remote 217.150.130.163 { exchange_mode main; my_identifier address 217.150.138.138; peers_identifier address 217.150.130.163; verify_identifier on; # lifetime time 40000 sec; proposal_check claim; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 40000 seconds; } } sainfo address 192.168.1.64/32 any address 192.168.0.0/24 any { lifetime time 40000 seconds; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 192.168.0.0/24 any address 192.168.1.64/32 any { lifetime time 40000 seconds; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } --- racoon.conf --- I've got the tunnel up: # racoonctl show-sa isakmp Destination Cookies Created 217.150.130.163.500 60566fd9f22997f0:368679084fb0bf3e 2009-07-15 17:47:00 # racoonctl show-sa esp 217.150.138.138 217.150.130.163 ... 217.150.130.163 217.150.138.138 ... (if i should show anything out of it tell me) I'm pinging the C box, on the local if i see the traffic: IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3777, length 64 IP 192.168.0.248 > 192.168.1.64: ICMP echo reply, id 1547, seq 3777, length 64 on the gif0 i only see: IP 192.168.1.64 > 192.168.0.248: ICMP echo request, id 1547, seq 3802, length 64 and on the public IF i see the following traffic: IP 217.150.130.163 > 217.150.138.138: ESP(spi=0x022aff56,seq=0x627), length 116 No ESP packets from the fbsd box to the zyxel (A->B). Practically traffic comes in, reaches the box on the local net, but any traffic going outside is being lost somewhere. In the pf.conf I allow the traffic to go through: --- pf.conf snippet --- pass in quick on $if_inetfw proto udp from any to ($if_inetfw:0) port 500 keep state pass in quick on $if_inetfw proto {esp,ah,ipencap} from any to ($if_inetfw:0) keep state pass out quick on $if_inetfw proto {esp,ah,ipencap} from any to any keep state --- pf.conf snippet --- So the question is, what is wrong, why do I don't have any traffic going to the B host out of the fbsd box? And how can this be fixed? Thanks in advance -- Sincerely, Gergely CZUCZY +36-30-9702963 From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 01:21:59 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F5AD1065670 for ; Thu, 16 Jul 2009 01:21:59 +0000 (UTC) (envelope-from sol4nki@gmail.com) Received: from mail-ew0-f215.google.com (mail-ew0-f215.google.com [209.85.219.215]) by mx1.freebsd.org (Postfix) with ESMTP id B26A88FC1A for ; Thu, 16 Jul 2009 01:21:58 +0000 (UTC) (envelope-from sol4nki@gmail.com) Received: by ewy11 with SMTP id 11so102422ewy.43 for ; Wed, 15 Jul 2009 18:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=8MHOOz+IsI2bUvqBLoRBUS+f2QBgwyFed03ii9FeEII=; b=ohXHBSs7/l7rGHO2KvjdvUFnGtB1pZ42avVGWNI++b7KKagzLwwLfB+mdXZisYJ2Pi Oppa/VJSrQ4K1C3570sx+E50inDJFp2wvaTebrDoSDDM+Vm0PPeBwODFlHFNfL421MB9 1DfOCHKwjvgK083nU8FVlb66dOjv6I7S69XZs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MPuANQoR+7FDquh44vXtpsKf5k4GEogkuKMoPx3JELQ1+6Pu6XOhKDkA5zcUFQb/v0 SgYETl5spLsiZxUgwicLERPoGOnwVTdFUWPPjYPwqPrqvEo2B5cXRv0rPz5wXKawGeZa Ahu+PbU070StoF9du0bgrNRS3t1Ic02C5lkxE= MIME-Version: 1.0 Received: by 10.216.28.85 with SMTP id f63mr2272757wea.142.1247705863244; Wed, 15 Jul 2009 17:57:43 -0700 (PDT) In-Reply-To: <20090715181703.00006c68@unknown> References: <20090715181703.00006c68@unknown> Date: Thu, 16 Jul 2009 02:57:43 +0200 Message-ID: <52bc9f190907151757w313175acxa40d4eae656a8345@mail.gmail.com> From: Jigar SOLANKI To: Gergely CZUCZY Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: IPsec tunnel help X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 01:21:59 -0000 Hi, I think that you can't see any outgoing traffic because there is no spd rule that matches any outgoing traffic ( from site A, ie you freebsd box) : this just comes from your second spd rule where "in" should be "out" : Try to replace the second rule: spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec esp/tunnel/217.150.138.138-217.150.130.163/unique; By : spdadd 192.168.0.0/24 192.168.1.64/32 any -P out ipsec esp/tunnel/217.150.138.138-217.150.130.163/unique; Hope this helps. :-) Regards, -- SOLANKI Jigar --- From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 06:14:57 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFFB21065672 for ; Thu, 16 Jul 2009 06:14:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id ACC2C8FC17 for ; Thu, 16 Jul 2009 06:14:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from [217.150.130.134] (helo=unknown) by marvin.harmless.hu with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MRKF5-000H7b-9o; Thu, 16 Jul 2009 08:14:55 +0200 Date: Thu, 16 Jul 2009 08:14:52 +0200 From: Gergely CZUCZY To: Jigar SOLANKI Message-ID: <20090716081452.0000693d@unknown> In-Reply-To: <52bc9f190907151757w313175acxa40d4eae656a8345@mail.gmail.com> References: <20090715181703.00006c68@unknown> <52bc9f190907151757w313175acxa40d4eae656a8345@mail.gmail.com> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: Czuczy Gergely Cc: Gergely CZUCZY , freebsd-net@freebsd.org Subject: Re: IPsec tunnel help X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 06:14:58 -0000 Thanks, this solved the problem. I think i was too tired and was producing layer8 issues :) Another question, what does the AES mean for racoon, is it AES256 or AES128? I've seen both at some ipsec devices, and I haven't seen the cipher size specified here. On Thu, 16 Jul 2009 02:57:43 +0200 Jigar SOLANKI wrote: > Hi, > > I think that you can't see any outgoing traffic because there is no > spd rule that matches any outgoing traffic ( from site A, ie you > freebsd box) : this just comes from your second spd rule where "in" > should be "out" : > > Try to replace the second rule: > > spdadd 192.168.0.0/24 192.168.1.64/32 any -P in ipsec > esp/tunnel/217.150.138.138-217.150.130.163/unique; > > > By : > > > spdadd 192.168.0.0/24 192.168.1.64/32 any -P out ipsec > esp/tunnel/217.150.138.138-217.150.130.163/unique; > > > Hope this helps. :-) > > Regards, > > -- > SOLANKI Jigar > --- > -- Sincerely, Gergely CZUCZY Harmless Digital Bt +36-30-9702963 From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 12:32:51 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 661571065670 for ; Thu, 16 Jul 2009 12:32:51 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 29E7F8FC1B for ; Thu, 16 Jul 2009 12:32:51 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from [217.150.130.134] (helo=unknown) by marvin.harmless.hu with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MRQ8o-000ObG-0W for freebsd-net@freebsd.org; Thu, 16 Jul 2009 14:32:50 +0200 Date: Thu, 16 Jul 2009 14:32:48 +0200 From: Gergely CZUCZY To: freebsd-net@freebsd.org Message-ID: <20090716143248.0000184e@unknown> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: FreeBSD 7.2 racoon and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 12:32:51 -0000 Hello, I'd like to ask for the state of that NAT-T support in 7.2. I've seen a note in ipsec-tools's OPTIONS for a required kernel patch for 6.x in order to have NAT-T working. Is this also required for 7.2? If a kernel patch is needed, is a recent patch available for 7.2? Does racoon needs to be patched with anything not in the port? Thanks in advance -- Sincerely, Gergely CZUCZY +36-30-9702963 From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 12:38:37 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6970106566C for ; Thu, 16 Jul 2009 12:38:37 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 972328FC15 for ; Thu, 16 Jul 2009 12:38:37 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 7A5D52798BD; Thu, 16 Jul 2009 14:38:36 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 4CE0A17046; Thu, 16 Jul 2009 14:38:36 +0200 (CEST) Date: Thu, 16 Jul 2009 14:38:36 +0200 From: VANHULLEBUS Yvan To: Gergely CZUCZY Message-ID: <20090716123836.GA85624@zeninc.net> References: <20090716143248.0000184e@unknown> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090716143248.0000184e@unknown> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 7.2 racoon and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 12:38:38 -0000 On Thu, Jul 16, 2009 at 02:32:48PM +0200, Gergely CZUCZY wrote: > Hello, Hi. > I'd like to ask for the state of that NAT-T support in 7.2. I've seen a > note in ipsec-tools's OPTIONS for a required kernel patch for 6.x in > order to have NAT-T working. Is this also required for 7.2? > If a kernel patch is needed, is a recent patch available for 7.2? > Does racoon needs to be patched with anything not in the port? http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff and ipsec-tools 0.7.x will work together (NOT tried with very recent versions of stable/7, please report any problem). A new FreeBSD patch will be needed to be able to run with upcoming 0.8.x (and with recent HEAD snapshots), and will be put in the same location. Yvan. From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 12:58:02 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EBE0106566B for ; Thu, 16 Jul 2009 12:58:02 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id F36268FC15 for ; Thu, 16 Jul 2009 12:58:01 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from [217.150.130.134] (helo=unknown) by marvin.harmless.hu with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MRQXA-000P5Z-Vy; Thu, 16 Jul 2009 14:58:01 +0200 Date: Thu, 16 Jul 2009 14:57:59 +0200 From: Gergely CZUCZY To: VANHULLEBUS Yvan Message-ID: <20090716145759.000074c9@unknown> In-Reply-To: <20090716123836.GA85624@zeninc.net> References: <20090716143248.0000184e@unknown> <20090716123836.GA85624@zeninc.net> Organization: Harmless Digital Bt X-Mailer: Claws Mail 3.7.1 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 7.2 racoon and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 12:58:02 -0000 On Thu, 16 Jul 2009 14:38:36 +0200 VANHULLEBUS Yvan wrote: > On Thu, Jul 16, 2009 at 02:32:48PM +0200, Gergely CZUCZY wrote: > > Hello, > > Hi. > > > > I'd like to ask for the state of that NAT-T support in 7.2. I've > > seen a note in ipsec-tools's OPTIONS for a required kernel patch > > for 6.x in order to have NAT-T working. Is this also required for > > 7.2? If a kernel patch is needed, is a recent patch available for > > 7.2? Does racoon needs to be patched with anything not in the port? > > http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff > and ipsec-tools 0.7.x will work together (NOT tried with very recent > versions of stable/7, please report any problem). > > > A new FreeBSD patch will be needed to be able to run with upcoming > 0.8.x (and with recent HEAD snapshots), and will be put in the same > location. Thank you very much. Would it be possible that this could be integrated? Might be with racoon, that would also be very nice. So far this is the only thing I've found in FreeBSD that needs a feature in the base install needs a 3rdparty utility in order to work at all. Would be very nice to have everything in base available to have IPSec working all around. > > > Yvan. -- Sincerely, Gergely CZUCZY Harmless Digital Bt +36-30-9702963 From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 13:21:19 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CB92106566C for ; Thu, 16 Jul 2009 13:21:19 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 4BC298FC08 for ; Thu, 16 Jul 2009 13:21:19 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id C4D5A2798B8; Thu, 16 Jul 2009 15:21:17 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 9F46117046; Thu, 16 Jul 2009 15:21:17 +0200 (CEST) Date: Thu, 16 Jul 2009 15:21:17 +0200 From: VANHULLEBUS Yvan To: Gergely CZUCZY Message-ID: <20090716132117.GA98916@zeninc.net> References: <20090716143248.0000184e@unknown> <20090716123836.GA85624@zeninc.net> <20090716145759.000074c9@unknown> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090716145759.000074c9@unknown> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 7.2 racoon and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 13:21:19 -0000 On Thu, Jul 16, 2009 at 02:57:59PM +0200, Gergely CZUCZY wrote: [...] > Thank you very much. > > Would it be possible that this could be integrated? > Might be with racoon, that would also be very nice. So far this is the > only thing I've found in FreeBSD that needs a feature in the base > install needs a 3rdparty utility in order to work at all. > > Would be very nice to have everything in base available to have IPSec > working all around. kernel part of NAT-T stuff has been commited for upcoming FreeBSD 8.0, and userland part needed to run with this kernel code has been commited in ipsec-tools's HEAD, so will be in 0.8.0 (no, sync between versions numbers 8.0 and 0.8 is really just a chance :-). Backport to FreeBSD 7.x has not been planned for now for various reasons. Yvan. From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 16:34:53 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A4E6106566B for ; Thu, 16 Jul 2009 16:34:53 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outY.internet-mail-service.net (outy.internet-mail-service.net [216.240.47.248]) by mx1.freebsd.org (Postfix) with ESMTP id 417758FC08 for ; Thu, 16 Jul 2009 16:34:53 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id E8E33DC2F; Thu, 16 Jul 2009 09:34:52 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 9D52E2D601C; Thu, 16 Jul 2009 09:34:52 -0700 (PDT) Message-ID: <4A5F56AC.1000603@elischer.org> Date: Thu, 16 Jul 2009 09:34:52 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: Gergely CZUCZY References: <20090716143248.0000184e@unknown> <20090716123836.GA85624@zeninc.net> <20090716145759.000074c9@unknown> In-Reply-To: <20090716145759.000074c9@unknown> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan Subject: Re: FreeBSD 7.2 racoon and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 16:34:53 -0000 Gergely CZUCZY wrote: > On Thu, 16 Jul 2009 14:38:36 +0200 > VANHULLEBUS Yvan wrote: > >> On Thu, Jul 16, 2009 at 02:32:48PM +0200, Gergely CZUCZY wrote: >>> Hello, >> Hi. >> >> >>> I'd like to ask for the state of that NAT-T support in 7.2. I've >>> seen a note in ipsec-tools's OPTIONS for a required kernel patch >>> for 6.x in order to have NAT-T working. Is this also required for >>> 7.2? If a kernel patch is needed, is a recent patch available for >>> 7.2? Does racoon needs to be patched with anything not in the port? >> http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff >> and ipsec-tools 0.7.x will work together (NOT tried with very recent >> versions of stable/7, please report any problem). >> >> >> A new FreeBSD patch will be needed to be able to run with upcoming >> 0.8.x (and with recent HEAD snapshots), and will be put in the same >> location. > ???? Does that mean that I was dreaming and the NAT-T stuff wasn't committed? I was certain I had seen it being committted to current? > Thank you very much. > > Would it be possible that this could be integrated? > Might be with racoon, that would also be very nice. So far this is the > only thing I've found in FreeBSD that needs a feature in the base > install needs a 3rdparty utility in order to work at all. > > Would be very nice to have everything in base available to have IPSec > working all around. > >> >> Yvan. > > > From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 16:37:01 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 266A11065672 for ; Thu, 16 Jul 2009 16:37:01 +0000 (UTC) (envelope-from Brian.Jacobs@lodgenet.com) Received: from garbo.lodgenet.com (garbo.lodgenet.com [204.124.121.250]) by mx1.freebsd.org (Postfix) with ESMTP id D885E8FC1A for ; Thu, 16 Jul 2009 16:37:00 +0000 (UTC) (envelope-from Brian.Jacobs@lodgenet.com) Received: from hardy.lodgenet.com (hardy.lodgenet.com [10.16.101.109]) by garbo.lodgenet.com (8.12.11.20060308/8.12.11) with ESMTP id n6GGFVRd026087 for ; Thu, 16 Jul 2009 11:15:31 -0500 Received: from sfcoex02.lodgenet.com (Not Verified[10.16.100.165]) by hardy.lodgenet.com with MailMarshal (v6, 4, 1, 5038) id ; Thu, 16 Jul 2009 11:15:31 -0500 Received: from host.lodgenet.com ([10.1.1.129]) by host.lodgenet.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 16 Jul 2009 11:15:31 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 16 Jul 2009 12:15:30 -0400 Message-ID: <126E45722B459248997856ECB72DEB7701285DC0@host.lodgenet.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: GRE tunnel limitations Thread-Index: AcoGMKOFi7WiXuUSTqaChXYslRCwcw== From: "Jacobs, Brian" To: X-OriginalArrivalTime: 16 Jul 2009 16:15:31.0216 (UTC) FILETIME=[A3F10900:01CA0630] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: GRE tunnel limitations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 16:37:01 -0000 Does anyone have some realistic data on the number of GRE/ipip tunnels FreeBSD 7.x can reasonably terminate? Assume no IPsec, just standard encapsulation. I have an ad-hoc need to terminate about 1,4000 static GRE tunnels (as Cisco 7206's are backordered until September). J =20 Thanks in advance! =20 /bmj From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 16:45:28 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8FA7106564A for ; Thu, 16 Jul 2009 16:45:28 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outV.internet-mail-service.net (outv.internet-mail-service.net [216.240.47.245]) by mx1.freebsd.org (Postfix) with ESMTP id A19EF8FC17 for ; Thu, 16 Jul 2009 16:45:28 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 4E912B3E6; Thu, 16 Jul 2009 09:45:28 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 104AD2D6015; Thu, 16 Jul 2009 09:45:27 -0700 (PDT) Message-ID: <4A5F5927.3080904@elischer.org> Date: Thu, 16 Jul 2009 09:45:27 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: "Jacobs, Brian" References: <126E45722B459248997856ECB72DEB7701285DC0@host.lodgenet.com> In-Reply-To: <126E45722B459248997856ECB72DEB7701285DC0@host.lodgenet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: GRE tunnel limitations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 16:45:29 -0000 Jacobs, Brian wrote: > Does anyone have some realistic data on the number of GRE/ipip tunnels > FreeBSD 7.x can reasonably terminate? Assume no IPsec, just standard > encapsulation. I have an ad-hoc need to terminate about 1,4000 static > GRE tunnels (as Cisco 7206's are backordered until September). J > > > > Thanks in advance! > > > > /bmj > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" The limitation would be that there is an interface for reach one and the interface 'interface' uses a linked list. it might work but there would probably be scaling issues. I've often thought that what we need is a way to do "bulk encapsulatin interfaces" where there is not an "interface" assigned to each destination. (at least not one that shows up in 'ifconfig'). How will you want to decide which gre interface to use for a given packet? is it just a standard routing decision based on the remote address? From owner-freebsd-net@FreeBSD.ORG Thu Jul 16 16:50:03 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1272D106566B for ; Thu, 16 Jul 2009 16:50:03 +0000 (UTC) (envelope-from Brian.Jacobs@lodgenet.com) Received: from garbo.lodgenet.com (garbo.lodgenet.com [204.124.121.250]) by mx1.freebsd.org (Postfix) with ESMTP id C59E58FC21 for ; Thu, 16 Jul 2009 16:50:02 +0000 (UTC) (envelope-from Brian.Jacobs@lodgenet.com) Received: from hardy.lodgenet.com (hardy.lodgenet.com [10.16.101.109]) by garbo.lodgenet.com (8.12.11.20060308/8.12.11) with ESMTP id n6GGo1kR008123; Thu, 16 Jul 2009 11:50:01 -0500 Received: from sfcoex02.lodgenet.com (Not Verified[10.16.100.165]) by hardy.lodgenet.com with MailMarshal (v6, 4, 1, 5038) id ; Thu, 16 Jul 2009 11:50:01 -0500 Received: from host.lodgenet.com ([10.1.1.129]) by host.lodgenet.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 16 Jul 2009 11:50:00 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 16 Jul 2009 12:50:00 -0400 Message-ID: <126E45722B459248997856ECB72DEB7701285DC2@host.lodgenet.com> In-Reply-To: <4A5F5927.3080904@elischer.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: GRE tunnel limitations Thread-Index: AcoGNNbm/PBfLtbTSturgrtD+n9ceQAACB1A References: <126E45722B459248997856ECB72DEB7701285DC0@host.lodgenet.com> <4A5F5927.3080904@elischer.org> From: "Jacobs, Brian" To: "Julian Elischer" X-OriginalArrivalTime: 16 Jul 2009 16:50:00.0948 (UTC) FILETIME=[75991340:01CA0635] Cc: freebsd-net@freebsd.org Subject: RE: GRE tunnel limitations X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 16:50:03 -0000 IP unnumbered between the two boxen. I've built some scripts to automatically generate config files, and then other scripts to automagically create the GRE interfaces and inject appropriate routes. GRE numbers are assigned sequentially based on config file lines (and are of no consequence): gre45: flags=3D9051 metric 0 mtu 1476 tunnel inet 10.3.100.39 --> 207.230.84.130 inet 10.3.100.39 --> 10.11.146.129 netmask 0xffffffff=20 gre46: flags=3D9051 metric 0 mtu 1476 tunnel inet 10.3.100.39 --> 12.35.57.131 inet 10.3.100.39 --> 10.10.201.1 netmask 0xffffffff 10.3.100.39 is the primary Ethernet interface address of the local box (terminator). 10.10.201.1 is the inside Ethernet of the remote box. Routing statement for 10.0.0.0/8 live on the remote box, and individual routes live on the concentrator: root@yttrium /root# netstat -nr | grep 10.10.201 10.10.201.0/26 10.10.201.1 UGS 0 2042 gre46 10.10.201.1 10.3.100.39 UH 1 49263 gre46 /bmj -----Original Message----- From: Julian Elischer [mailto:julian@elischer.org]=20 Sent: Thursday, July 16, 2009 12:45 PM To: Jacobs, Brian Cc: freebsd-net@freebsd.org Subject: Re: GRE tunnel limitations Jacobs, Brian wrote: > Does anyone have some realistic data on the number of GRE/ipip tunnels > FreeBSD 7.x can reasonably terminate? Assume no IPsec, just standard > encapsulation. I have an ad-hoc need to terminate about 1,4000 static > GRE tunnels (as Cisco 7206's are backordered until September). J >=20 > =20 >=20 > Thanks in advance! >=20 > =20 >=20 > /bmj >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" The limitation would be that there is an interface for reach one and=20 the interface 'interface' uses a linked list. it might work but there=20 would probably be scaling issues. I've often thought that what we need is a way to do "bulk encapsulatin=20 interfaces" where there is not an "interface" assigned to each=20 destination. (at least not one that shows up in 'ifconfig'). How will you want to decide which gre interface to use for a given=20 packet? is it just a standard routing decision based on the remote=20 address? From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 04:09:35 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48C8F106566C; Fri, 17 Jul 2009 04:09:35 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1E3AB8FC08; Fri, 17 Jul 2009 04:09:35 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6H49Zr7084329; Fri, 17 Jul 2009 04:09:35 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6H49YLg084325; Fri, 17 Jul 2009 04:09:34 GMT (envelope-from linimon) Date: Fri, 17 Jul 2009 04:09:34 GMT Message-Id: <200907170409.n6H49YLg084325@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/136836: [ath] atheros card stops functioning after about 12 hours uptime X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 04:09:35 -0000 Old Synopsis: atheros card stops functioning after about 12 hours uptime New Synopsis: [ath] atheros card stops functioning after about 12 hours uptime Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 17 04:09:22 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=136836 From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 04:15:52 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2C2C10656CD; Fri, 17 Jul 2009 04:15:51 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C83D88FC16; Fri, 17 Jul 2009 04:15:51 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6H4FpNe092618; Fri, 17 Jul 2009 04:15:51 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6H4Fp9R092614; Fri, 17 Jul 2009 04:15:51 GMT (envelope-from linimon) Date: Fri, 17 Jul 2009 04:15:51 GMT Message-Id: <200907170415.n6H4Fp9R092614@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/136803: [sctp] [panic] Kernel panic and hanging on using SCTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 04:15:52 -0000 Old Synopsis: Kernel panic and hanging on using SCTP New Synopsis: [sctp] [panic] Kernel panic and hanging on using SCTP Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 17 04:15:38 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=136803 From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 06:22:23 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45F1C106564A for ; Fri, 17 Jul 2009 06:22:23 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id EAE1B8FC14 for ; Fri, 17 Jul 2009 06:22:22 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw02.corp.verio.net (iad-wprd-xchw02.corp.verio.net [198.87.7.165]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id 2D494B0382C0; Fri, 17 Jul 2009 02:22:22 -0400 (EDT) thread-index: AcoGpvEmGykjrHzOSyOrEqwibwimhw== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.64]) by iad-wprd-xchw02.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 17 Jul 2009 02:22:20 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Fri, 17 Jul 2009 01:22:19 +0000 Date: Fri, 17 Jul 2009 01:22:19 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "rascal" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Message-ID: <20090717062218.GL6896@verio.net> Mail-Followup-To: rascal , freebsd-net@freebsd.org References: <3228ef7c0907130809n29566514xb2c1f522e1da8a3f@mail.gmail.com> <20090714134131.GA23925@traktor.dnepro.net> <3228ef7c0907140918i5d90dc44q995a4210f2767f9a@mail.gmail.com> <20090715001514.GU6896@verio.net> <3228ef7c0907141843s30df148eu2c6c64acd7748029@mail.gmail.com> <20090715021251.GV6896@verio.net> <3228ef7c0907142001y650892b3w696576647086ba38@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <3228ef7c0907142001y650892b3w696576647086ba38@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 17 Jul 2009 06:22:20.0237 (UTC) FILETIME=[F07A5FD0:01CA06A6] Cc: freebsd-net@freebsd.org Subject: Re: question regarding IPSEC Setup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 06:22:23 -0000 rascal wrote: > > If I could ask one more favor; what does your cisco config look like > that would match one of these? I have got mine configed based on > someone else's tunnel specs and while I am sure they are comparable I > wanted to make sure I wasn't missing anything. Here's an example config that I sanitized from one of our Cisco routers; I think it should work, but it's only an example. At some point you have to adapt these configs to your own situation. :) crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key SecretKey!! address 11.22.33.44 crypto ipsec transform-set AES-SHA1 esp-aes esp-sha-hmac crypto map IPSEC local-address GigabitEthernet0/1 crypto map IPSEC 1 ipsec-isakmp set peer 11.22.33.44 set transform-set AES-SHA1 match address remote-site interface GigabitEthernet0/1 ip address 55.66.77.88 255.255.255.224 crypto map IPSEC ip access-list extended remote-site permit ip 10.20.50.60 0.0.0.255 10.10.30.40 0.0.0.255 permit ip 10.20.50.60 0.0.0.255 10.10.30.50 0.0.0.255 permit ip 10.20.50.70 0.0.0.255 10.10.30.40 0.0.0.255 permit ip 10.20.50.70 0.0.0.255 10.10.30.50 0.0.0.255 -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 07:21:26 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7CA610656CC for ; Fri, 17 Jul 2009 07:21:26 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 7565D8FC19 for ; Fri, 17 Jul 2009 07:21:26 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id E5E142798B8; Fri, 17 Jul 2009 09:21:24 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id DD63C1704C; Fri, 17 Jul 2009 09:21:24 +0200 (CEST) Date: Fri, 17 Jul 2009 09:21:24 +0200 From: VANHULLEBUS Yvan To: Julian Elischer Message-ID: <20090717072124.GA4883@zeninc.net> References: <20090716143248.0000184e@unknown> <20090716123836.GA85624@zeninc.net> <20090716145759.000074c9@unknown> <4A5F56AC.1000603@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A5F56AC.1000603@elischer.org> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD 7.2 racoon and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 07:21:27 -0000 On Thu, Jul 16, 2009 at 09:34:52AM -0700, Julian Elischer wrote: > Gergely CZUCZY wrote: [...] > >>>I'd like to ask for the state of that NAT-T support in 7.2. I've > >>>seen a note in ipsec-tools's OPTIONS for a required kernel patch > >>>for 6.x in order to have NAT-T working. Is this also required for > >>>7.2? If a kernel patch is needed, is a recent patch available for > >>>7.2? Does racoon needs to be patched with anything not in the port? > >>http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff > >>and ipsec-tools 0.7.x will work together (NOT tried with very recent > >>versions of stable/7, please report any problem). > >> > >> > >>A new FreeBSD patch will be needed to be able to run with upcoming > >>0.8.x (and with recent HEAD snapshots), and will be put in the same > >>location. > > ???? Does that mean that I was dreaming and the NAT-T stuff wasn't > committed? I was certain I had seen it being committted to current? I was talking about FreeBSD 7.2 here. Yvan. From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 08:15:30 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F78A1065673; Fri, 17 Jul 2009 08:15:30 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id 693EE8FC1F; Fri, 17 Jul 2009 08:15:29 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by fxm24 with SMTP id 24so518903fxm.43 for ; Fri, 17 Jul 2009 01:15:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=xfse68S3PcbXLbEQakMCD+M73dL5Yr79IJFi80ZKMa4=; b=ipe6rQoyOWCvEYx0Dnjt5Bw5YLPS5jvY04p72rA9BBToKK8mkJGVxLFHKimDGTtZTT fPrpBhw//wTF+zXA4vC6JtsXNr4zQjOpxW7+VFI3zWGnnhy0UIv4/RkGQQKNOjhLUXpv LmHmwEEy+pAdbv78Bq0JhJCmi84EB9Ku4319U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jVmBSOfgGD1Sk3e5Im4CoZplkIioYt6zzrZHg5EYOqy3YwiV5EOMDpJQ1lnQ56sjEm cpIs2qVDQHG5LLAc0AQDobLdR8Xc/RDN6Cmv8k3kXMYTLJ03Pmjzvw0MVwetWHpko8lX l9D4MfyXb6i60luLXfkPJpXnOe+sX/vHeGTLE= MIME-Version: 1.0 Received: by 10.103.243.9 with SMTP id v9mr375068mur.69.1247818527364; Fri, 17 Jul 2009 01:15:27 -0700 (PDT) In-Reply-To: <200907101030.n6AAU3Ar050676@freefall.freebsd.org> References: <200907101030.n6AAU3Ar050676@freefall.freebsd.org> Date: Fri, 17 Jul 2009 11:15:27 +0300 Message-ID: <9e20d71e0907170115w3bb17f75tf31d6362a1311fd3@mail.gmail.com> From: Artis Caune To: Eygene Ryabinkin Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, bug-followup@freebsd.org Subject: Re: kern/136618: [pf][stf] panic on cloning interface without unit number, e.g. `stf' X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 08:15:30 -0000 2009/7/10 Eygene Ryabinkin > No problems. Care to test both patches? If yes, please, report back > any findings of any type. > Hi, patch works good on amd64, 8.0-BETA2, r195712 root@FreeBSD ~# ifconfig carp0 name carp ifconfig: ioctl (set name): File exists -- Artis Caune Everything should be made as simple as possible, but not simpler. From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 08:20:05 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37F48106566B for ; Fri, 17 Jul 2009 08:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 25D8B8FC0A for ; Fri, 17 Jul 2009 08:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6H8K5me024580 for ; Fri, 17 Jul 2009 08:20:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6H8K5Z9024579; Fri, 17 Jul 2009 08:20:05 GMT (envelope-from gnats) Date: Fri, 17 Jul 2009 08:20:05 GMT Message-Id: <200907170820.n6H8K5Z9024579@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Artis Caune Cc: Subject: Re: kern/136618: [pf][stf] panic on cloning interface without unit number, e.g. `stf' X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Artis Caune List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 08:20:05 -0000 The following reply was made to PR kern/136618; it has been noted by GNATS. From: Artis Caune To: Eygene Ryabinkin Cc: freebsd-net@freebsd.org, bug-followup@freebsd.org Subject: Re: kern/136618: [pf][stf] panic on cloning interface without unit number, e.g. `stf' Date: Fri, 17 Jul 2009 11:15:27 +0300 --0016369205b11155ce046ee26452 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit 2009/7/10 Eygene Ryabinkin > No problems. Care to test both patches? If yes, please, report back > any findings of any type. > Hi, patch works good on amd64, 8.0-BETA2, r195712 root@FreeBSD ~# ifconfig carp0 name carp ifconfig: ioctl (set name): File exists -- Artis Caune Everything should be made as simple as possible, but not simpler. --0016369205b11155ce046ee26452 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
2009/7/10 Eygene Ryabinkin <= ;rea-fbsd@codelabs.ru>
=C2=A0No problems. =C2=A0Care to test both patches? =C2= =A0If yes, please, report back
=C2=A0any findings of any type.


Hi, pat= ch works good on amd64, 8.0-BETA2, r195712


root@FreeBSD ~# ifcon= fig carp0 name carp
ifconfig: ioctl (set name): File exists


<= br>

--
Artis Caune

=C2=A0 =C2=A0Everything sh= ould be made as simple as possible, but not simpler.
--0016369205b11155ce046ee26452-- From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 18:00:08 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C44A106564A for ; Fri, 17 Jul 2009 18:00:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 63B8F8FC0C for ; Fri, 17 Jul 2009 18:00:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6HI086a057639 for ; Fri, 17 Jul 2009 18:00:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6HI08HP057638; Fri, 17 Jul 2009 18:00:08 GMT (envelope-from gnats) Date: Fri, 17 Jul 2009 18:00:08 GMT Message-Id: <200907171800.n6HI08HP057638@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Wes Morgan Cc: Subject: Re: kern/136836: atheros card stops functioning after about 12 hours uptime X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Wes Morgan List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 18:00:08 -0000 The following reply was made to PR kern/136836; it has been noted by GNATS. From: Wes Morgan To: FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: kern/136836: atheros card stops functioning after about 12 hours uptime Date: Fri, 17 Jul 2009 12:55:05 -0500 (CDT) These messages show up in syslog indicating that the card has stopped working: Jul 17 06:35:57 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 17 06:35:57 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected Jul 17 06:35:57 catalyst wpa_supplicant[491]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) Jul 17 06:35:58 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Jul 17 06:35:58 catalyst wpa_supplicant[491]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet Jul 17 06:35:59 catalyst wpa_supplicant[491]: WPA: Failed to set PTK to the driver. Jul 17 06:35:59 catalyst wpa_supplicant[491]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] Jul 17 06:37:16 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding Jul 17 06:39:44 catalyst wpa_supplicant[491]: CTRL-EVENT-SCAN-RESULTS Jul 17 06:41:14 catalyst wpa_supplicant[491]: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys Jul 17 06:41:14 catalyst kernel: wlan0: link state changed to DOWN Jul 17 06:41:15 catalyst kernel: wlan0: link state changed to UP Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected Jul 16 08:00:26 catalyst wpa_supplicant[31662]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Jul 16 08:00:26 catalyst wpa_supplicant[31662]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet Jul 16 08:00:27 catalyst wpa_supplicant[31662]: WPA: Failed to set PTK to the driver. Jul 16 08:00:27 catalyst wpa_supplicant[31662]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] Jul 16 08:01:45 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected Jul 15 06:25:31 catalyst wpa_supplicant[495]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Jul 15 06:25:31 catalyst wpa_supplicant[495]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet Jul 15 06:25:32 catalyst wpa_supplicant[495]: WPA: Failed to set PTK to the driver. Jul 15 06:25:32 catalyst wpa_supplicant[495]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] Jul 15 06:26:50 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 18:00:10 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B5B7106566B for ; Fri, 17 Jul 2009 18:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 48D978FC12 for ; Fri, 17 Jul 2009 18:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6HI0AQ1057667 for ; Fri, 17 Jul 2009 18:00:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6HI0Avw057666; Fri, 17 Jul 2009 18:00:10 GMT (envelope-from gnats) Date: Fri, 17 Jul 2009 18:00:10 GMT Message-Id: <200907171800.n6HI0Avw057666@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Wes Morgan Cc: Subject: Re: kern/136836: atheros card stops functioning after about 12 hours uptime X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Wes Morgan List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 18:00:10 -0000 The following reply was made to PR kern/136836; it has been noted by GNATS. From: Wes Morgan To: bug-followup@freebsd.org Cc: Subject: Re: kern/136836: atheros card stops functioning after about 12 hours uptime Date: Fri, 17 Jul 2009 12:58:33 -0500 (CDT) These messages show up in syslog indicating that the card has stopped working: Jul 17 06:35:57 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 17 06:35:57 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected Jul 17 06:35:57 catalyst wpa_supplicant[491]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) Jul 17 06:35:58 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Jul 17 06:35:58 catalyst wpa_supplicant[491]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet Jul 17 06:35:59 catalyst wpa_supplicant[491]: WPA: Failed to set PTK to the driver. Jul 17 06:35:59 catalyst wpa_supplicant[491]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] Jul 17 06:37:16 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding Jul 17 06:39:44 catalyst wpa_supplicant[491]: CTRL-EVENT-SCAN-RESULTS Jul 17 06:41:14 catalyst wpa_supplicant[491]: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys Jul 17 06:41:14 catalyst kernel: wlan0: link state changed to DOWN Jul 17 06:41:15 catalyst kernel: wlan0: link state changed to UP Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected Jul 16 08:00:26 catalyst wpa_supplicant[31662]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Jul 16 08:00:26 catalyst wpa_supplicant[31662]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet Jul 16 08:00:27 catalyst wpa_supplicant[31662]: WPA: Failed to set PTK to the driver. Jul 16 08:00:27 catalyst wpa_supplicant[31662]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] Jul 16 08:01:45 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-STARTED EAP authentication started Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected Jul 15 06:25:31 catalyst wpa_supplicant[495]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Jul 15 06:25:31 catalyst wpa_supplicant[495]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet Jul 15 06:25:32 catalyst wpa_supplicant[495]: WPA: Failed to set PTK to the driver. Jul 15 06:25:32 catalyst wpa_supplicant[495]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] Jul 15 06:26:50 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 19:17:55 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2779106564A for ; Fri, 17 Jul 2009 19:17:55 +0000 (UTC) (envelope-from sam@errno.com) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9D2CD8FC13 for ; Fri, 17 Jul 2009 19:17:55 +0000 (UTC) (envelope-from sam@errno.com) Received: from ice.local ([10.0.0.115]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id n6HIdDRW091614 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Jul 2009 11:39:13 -0700 (PDT) (envelope-from sam@errno.com) Message-ID: <4A60C551.1070208@errno.com> Date: Fri, 17 Jul 2009 11:39:13 -0700 From: Sam Leffler User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: Wes Morgan References: <200907171800.n6HI0Avw057666@freefall.freebsd.org> In-Reply-To: <200907171800.n6HI0Avw057666@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC-sonic.net-Metrics: ebb.errno.com; whitelist Cc: freebsd-net@freebsd.org Subject: Re: kern/136836: atheros card stops functioning after about 12 hours uptime X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 19:17:56 -0000 Wes Morgan wrote: > The following reply was made to PR kern/136836; it has been noted by GNATS. > > From: Wes Morgan > To: bug-followup@freebsd.org > Cc: > Subject: Re: kern/136836: atheros card stops functioning after about 12 hours > uptime > Date: Fri, 17 Jul 2009 12:58:33 -0500 (CDT) > > These messages show up in syslog indicating that the card has stopped working: > > Jul 17 06:35:57 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-STARTED EAP authentication started > Jul 17 06:35:57 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected > Jul 17 06:35:57 catalyst wpa_supplicant[491]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) > Jul 17 06:35:58 catalyst wpa_supplicant[491]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully > Jul 17 06:35:58 catalyst wpa_supplicant[491]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet > Jul 17 06:35:59 catalyst wpa_supplicant[491]: WPA: Failed to set PTK to the driver. > Jul 17 06:35:59 catalyst wpa_supplicant[491]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] > Jul 17 06:37:16 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding > Jul 17 06:39:44 catalyst wpa_supplicant[491]: CTRL-EVENT-SCAN-RESULTS > Jul 17 06:41:14 catalyst wpa_supplicant[491]: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys > Jul 17 06:41:14 catalyst kernel: wlan0: link state changed to DOWN > Jul 17 06:41:15 catalyst kernel: wlan0: link state changed to UP > > > Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-STARTED EAP authentication started > Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected > Jul 16 08:00:26 catalyst wpa_supplicant[31662]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) > Jul 16 08:00:26 catalyst wpa_supplicant[31662]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully > Jul 16 08:00:26 catalyst wpa_supplicant[31662]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet > Jul 16 08:00:27 catalyst wpa_supplicant[31662]: WPA: Failed to set PTK to the driver. > Jul 16 08:00:27 catalyst wpa_supplicant[31662]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] > Jul 16 08:01:45 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding > > Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-STARTED EAP authentication started > Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected > Jul 15 06:25:31 catalyst wpa_supplicant[495]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) > Jul 15 06:25:31 catalyst wpa_supplicant[495]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully > Jul 15 06:25:31 catalyst wpa_supplicant[495]: WPA: EAPOL-Key Replay Counter did not increase - dropping packet > Jul 15 06:25:32 catalyst wpa_supplicant[495]: WPA: Failed to set PTK to the driver. > Jul 15 06:25:32 catalyst wpa_supplicant[495]: WPA: Key negotiation completed with 00:40:10:10:00:03 [PTK=CCMP GTK=CCMP] > Jul 15 06:26:50 catalyst kernel: nfs server 192.168.0.1:/usr/home/media: not responding This looks like another problem I'm working on. If you do wlandebug +crypto to get debug msgs you should see a complaint about not being able to plumb the PTK and the key index is > 0. Sam From owner-freebsd-net@FreeBSD.ORG Fri Jul 17 23:01:05 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12C291065670 for ; Fri, 17 Jul 2009 23:01:05 +0000 (UTC) (envelope-from seklecki@noc.cfi.pgh.pa.us) Received: from mx04.pub.collaborativefusion.com (mx04.pub.collaborativefusion.com [206.210.72.84]) by mx1.freebsd.org (Postfix) with ESMTP id B3A148FC12 for ; Fri, 17 Jul 2009 23:01:04 +0000 (UTC) (envelope-from seklecki@noc.cfi.pgh.pa.us) Received: from [192.168.2.161] ([206.210.89.202]) by mx04.pub.collaborativefusion.com (StrongMail Enterprise 4.1.1.4(4.1.1.4-47689)); Fri, 17 Jul 2009 18:29:43 -0400 X-VirtualServerGroup: Default X-MailingID: 00000::00000::00000::00000::::1 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: freebsd-net@freebsd.org X-SMFBL: ZnJlZWJzZC1uZXRAZnJlZWJzZC5vcmc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=noc.cfi.pgh.pa.us; s=noc_cfi_pgh_pa_us_key_dkim; l=2668; t=1247869783; i=@noc.cfi.pgh.pa.us; h=Subject:From:To: Content-Type:Date:Message-Id:Mime-Version:X-Mailer: Content-Transfer-Encoding; bh=yfYz0YhAunQ85ZXvt+5AUI+oZdE=; b=d1 pHP24k7QQc89rua+HOmcyQ3kRkbnFsjb/dDOmRG3KafOCm+x3u+DIW+swyjvq1DR 5Vj4g+wIGXSXJTuJQBoAQRiSr0wrvyVAFVQ1AHzdnuRMZHxE8NyTQr2b4+iPAC From: "Brian A. Seklecki" To: freebsd-net@freebsd.org Content-Type: text/plain Date: Fri, 17 Jul 2009 18:46:02 -0400 Message-Id: <1247870762.10382.14770.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 X-Mailer: Evolution 2.26.2 (2.26.2-1.fc11) Content-Transfer-Encoding: 7bit Subject: Dropped/Duplicate SYN, Cisco PIX/ASA, and and random ISN w/ net.inet.ip.random_id=1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 23:01:05 -0000 All: We recently worked closely with some FreeBSD developers to track down an illusive bug in the stack. In a high performance environment, we observed dropped (or extreme delayed) SYN packets, but were unable to easily reproduce the problem using test case scenarios. Our environment: - FreeBSD 7.x Servers - FreeBSD 6.x clients - PIX/ASA 7.2.x stateful firewalls - pf(4) on the server with lots of jails - PHP clients and server with SOAP framework, so lots and lots of sockets, often thousands between any given client->server, in various TCP states. Getting to the heart of the matter, see: http://fxr.watson.org/fxr/source/netinet/tcp_timewait.c#L385 Here we drop SYN's from [client:source_ephemeral_socket] if: 1) We already have that exact combination in CLOSE_WAIT 2) The ISN of the new incoming SYN is lower than that of the existing socket in CLOSE_WAIT Those conditions are _highly_ unlikely, until you start hedging your bets. net.inet.ip.random_id=1 in sysctl.conf(5) is one way to exacerbate the problem. So are the magic scrubbing bubbles in pf.conf(5): scrub all random-id. Also, the PIX/ASA code randomizes IDs by default as well(*). net.inet.ip.portrange.randomized is another; since truly randomized numbers can involved duplicates. Additionally, the default random port ephemeral source port range is way too small for these HPC environments, leading to more likely collisions, so that can be increased: net.inet.ip.random_id=0 net.inet.ip.portrange.randomized=1 net.inet.ip.portrange.first=2048 Anyway, this discussion strictly for the benefit of the mailing list archives, in case, further down the road, someone else finds them self tcpdump(8)'ing duplicate SYNs and starting at netstat(8) -s output and beginning to doubt their own existence. ~Brian A. Seklecki (*) To disable port randomization on the Cisco PIX: tcp-map verify-chksum check-retransmission checksum-verification exceed-mss drop syn-data drop tcp-options selective-ack allow urgent-flag clear no ttl-evasion-protection ! icmp unreachable rate-limit 1 burst-size 1 timeout xlate 3:00:00 timeout conn 12:00:00 half-closed 0:10:00 udp 0:01:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 ! policy-map global_policy class my_inspection_tcp set connection embryonic-conn-max 2048 per-client-max 1024\ per-client-embryonic-max 1024 random-sequence-number disable set connection timeout embryonic 0:02:00 tcp 1:30:00 dcd 24:00:00 5 set connection advanced-options verify-chksum ! service-policy global_policy interface [WhateverIF] From owner-freebsd-net@FreeBSD.ORG Sat Jul 18 04:26:59 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F9E21065693; Sat, 18 Jul 2009 04:26:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 259228FC1A; Sat, 18 Jul 2009 04:26:59 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6I4Qx2Y042845; Sat, 18 Jul 2009 04:26:59 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6I4QxnY042841; Sat, 18 Jul 2009 04:26:59 GMT (envelope-from linimon) Date: Sat, 18 Jul 2009 04:26:59 GMT Message-Id: <200907180426.n6I4QxnY042841@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/136876: [bge] bge will not resume properly after suspend X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2009 04:26:59 -0000 Old Synopsis: bge will not resume properly after suspend New Synopsis: [bge] bge will not resume properly after suspend Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Sat Jul 18 04:26:34 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=136876 From owner-freebsd-net@FreeBSD.ORG Sat Jul 18 19:28:56 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4BDE106564A for ; Sat, 18 Jul 2009 19:28:56 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from Mail.elbekies.net (mail.elbekies.net [217.6.211.146]) by mx1.freebsd.org (Postfix) with ESMTP id 790798FC08 for ; Sat, 18 Jul 2009 19:28:56 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7daa.q.ppp-pool.de [89.53.125.170]) by Mail.elbekies.net (Postfix) with ESMTPA id 8375A67884; Sat, 18 Jul 2009 21:03:51 +0200 (CEST) Received: from [192.168.16.4] (dardanos.sz.vwsoft.com [192.168.16.4]) by mail.vtec.ipme.de (Postfix) with ESMTP id 4B41333CA1; Sat, 18 Jul 2009 21:02:17 +0200 (CEST) Message-ID: <4A621C86.1060002@vwsoft.com> Date: Sat, 18 Jul 2009 21:03:34 +0200 From: volker@vwsoft.com User-Agent: Thunderbird 2.0.0.22 (X11/20090629) MIME-Version: 1.0 To: =?ISO-8859-1?Q?=C1=F5=BF=AD?= References: <7237120a0907092043ld8a3325mcf1458ef4aab3bf8@mail.gmail.com> In-Reply-To: <7237120a0907092043ld8a3325mcf1458ef4aab3bf8@mail.gmail.com> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-ID: 8375A67884.9214A X-Elbekies-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com MailScanner-NULL-Check: 1248548634.36416@6W4qQeb92NQJZIG17iQTkg Cc: freebsd-net@freebsd.org Subject: Re: system panic when i use ath without swap,some advice? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2009 19:28:58 -0000 On 07/10/09 05:43, Áőż­ wrote: > Hi all > > My system is atom n270 1G RAM, freebsd 7.2 release .without swap. > When my ath is associated with an AP, and the traffic is high, the > system will panic and reboot. this happened many times. > Can you give me some advice please. > thanks > > Micheal Kevin Micheal, sure, if you can give us the actual panic message, and preferable a backtrace, I'm pretty sure we can. If you can easily produce the panic, you can also grab the coredump w/o swap space, if you have a spare USB thumb drive handy (see savecore). BTW by instructing the kernel to save it's coredump onto a (dedicated) USB thumb drive, I'm fetching core dumps from embedded units which is otherwise impossible. You can than later analyze and debug your kernel crash on a workstation machine. HTH Volker From owner-freebsd-net@FreeBSD.ORG Sat Jul 18 22:35:03 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5FD2106566C for ; Sat, 18 Jul 2009 22:35:03 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from sepehrs.com (www.sepehrs.com [213.217.59.98]) by mx1.freebsd.org (Postfix) with ESMTP id EC7868FC15 for ; Sat, 18 Jul 2009 22:35:02 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from [192.168.4.180] ([192.168.3.1]) by mail (8.14.3/8.14.3) with ESMTP id n6E8DN5g048553 for ; Tue, 14 Jul 2009 12:43:23 +0430 (IRDT) Message-ID: <4A5C3EE6.7010704@sepehrs.com> Date: Tue, 14 Jul 2009 12:46:38 +0430 From: "H.Fazaeli" User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: broadcom 57710 support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2009 22:35:04 -0000 Is there any near plan to develop drivers for network cards based on broadcom NetXtereme II 57710 10 GbE controller? -- Best regards. Hooman Fazaeli Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352