From owner-freebsd-current@FreeBSD.ORG Thu Aug 5 20:29:58 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A302E16A4CE for ; Thu, 5 Aug 2004 20:29:58 +0000 (GMT) Received: from mailout08.sul.t-online.com (mailout08.sul.t-online.com [194.25.134.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id D754F43D45 for ; Thu, 5 Aug 2004 20:29:57 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from fwd01.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1Bsos8-00075D-03; Thu, 05 Aug 2004 22:29:56 +0200 Received: from Andro-Beta.Leidinger.net (Zeu2WvZfgesjtPE98AhJW56ZRW0inKwj-i8Q7xtSVSDL7+1sKdH00z@[217.229.213.98]) by fmrl01.sul.t-online.com with esmtp id 1Bsorv-1IEhma0; Thu, 5 Aug 2004 22:29:43 +0200 Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) i75KTmRH080444 for ; Thu, 5 Aug 2004 22:29:48 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Date: Thu, 5 Aug 2004 22:30:27 +0200 From: Alexander Leidinger To: current@freebsd.org Message-Id: <20040805223027.7df0732b@Magellan.Leidinger.net> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-ID: Zeu2WvZfgesjtPE98AhJW56ZRW0inKwj-i8Q7xtSVSDL7+1sKdH00z@t-dialin.net Subject: IPSEC broken (FAST_IPSEC works)? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 20:29:58 -0000 Hi, I've replaced a 4.10 server with a 5-current (Jul 18, without PREEMPTION, with MSIZE=512) one. Both have the same IPSEC config (kernel, setkey, racoon, gif). But the 5-current one isn't able to transfer data over the VPN (no ping, no telnet to a port on a host on the other side of the tunnel). Racoon is able to negotiate a connection: ---snip--- # setkey -D No SAD entries. # ping host_behind_b: [waiting long enough, but no output] [ctrl-c] # setkey -D a b esp mode=tunnel spi=3635833369(0xd8b66a19) reqid=0(0x00000000) E: 3des-cbc 11d159c7 53846874 895eacfd 66074dc4 36350ac2 f09fe17a A: hmac-md5 bf041de9 225ebf60 dac19d00 23653b39 seq=0x00000002 replay=4 flags=0x00000000 state=mature created: Aug 5 22:10:27 2004 current: Aug 5 22:10:30 2004 diff: 3(s) hard: 300(s) soft: 240(s) last: Aug 5 22:10:28 2004 hard: 0(s) soft: 0(s) current: 272(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 2 hard: 0 soft: 0 sadb_seq=1 pid=561 refcnt=2 b a esp mode=tunnel spi=116056914(0x06eae352) reqid=0(0x00000000) E: 3des-cbc 053d94f1 edef8617 69d25dca e69ec7db ad3c9a1a 0838a24c A: hmac-md5 04d024d9 96b2c61e 6ecc79e4 f2393bc4 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Aug 5 22:10:27 2004 current: Aug 5 22:10:30 2004 diff: 3(s) hard: 300(s) soft: 240(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=561 refcnt=1 ---snip--- tcpdump while doing a "ping host_behind_b": ---snip--- 21:43:53.966704 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:43:55.112454 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E] 21:43:55.120021 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:44:55.331956 IP b.500 > a.500: isakmp: phase 2/others ? inf[E] 21:47:14.475946 IP a > b: ESP(spi=0x754e1e4d,seq=0x1) 21:47:14.484644 IP b > a: ESP(spi=0x03a777cb,seq=0x1) 21:47:15.483319 IP a > b: ESP(spi=0x754e1e4d,seq=0x2) 21:47:15.489887 IP b > a: ESP(spi=0x03a777cb,seq=0x2) 21:47:16.493331 IP a > b: ESP(spi=0x754e1e4d,seq=0x3) 21:47:16.499916 IP b > a: ESP(spi=0x03a777cb,seq=0x3) 21:47:17.503348 IP a > b: ESP(spi=0x754e1e4d,seq=0x4) 21:47:17.514614 IP b > a: ESP(spi=0x03a777cb,seq=0x4) 21:47:18.513362 IP a > b: ESP(spi=0x754e1e4d,seq=0x5) 21:47:18.520057 IP b > a: ESP(spi=0x03a777cb,seq=0x5) 21:47:56.970054 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:47:58.115081 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E] 21:47:58.122636 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:49:00.330423 IP b.500 > a.500: isakmp: phase 2/others ? inf[E] 21:53:00.318424 IP b.500 > a.500: isakmp: phase 2/others ? inf[E] ---snip--- tcpdump on the gif interface shows nothing. "netstat -s -p ipsec" reports: ---snip--- ipsec: 106 inbound packets processed successfully 0 inbound packets violated process security policy 0 inbound packets with no SA available 0 invalid inbound packets 0 inbound packets failed due to insufficient memory 0 inbound packets failed getting SPI 0 inbound packets failed on AH replay check 0 inbound packets failed on ESP replay check 0 inbound packets considered authentic 0 inbound packets failed on authentication ESP input histogram: 3des-cbc: 106 102 outbound packets processed successfully 0 outbound packets violated process security policy 5 outbound packets with no SA available 0 invalid outbound packets 0 outbound packets failed due to insufficient memory 0 outbound packets with no route ESP output histogram: 3des-cbc: 102 7526 SPD cache lookups 3235 SPD cache misses ---snip--- A kernel with FAST_IPSEC instead of IPSEC works as expected (ping reports the round trip time, tcpdump shows traffic on the gif interface and a quick test with telnet to a port on host_behind_b shows the expected output). The system is supposed to go into production soon, so I can't guarantee I can do "expensive" tests if someone comes up with a patch or needs some data which is only available if IPSEC instead of FAST_IPSEC is used. Bye, Alexander. -- I'm available to get hired (preferred in .lu). http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7