Date: Wed, 14 Jan 2004 00:57:31 +0100 From: Dierk Sacher <dierk@blaxxtarz.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes Message-ID: <20040113235731.GC63076@blaxxtarz.evangelion.free> In-Reply-To: <Pine.BSF.4.53.0401131938160.30149@e0-0.zab2.int.zabbadoz.net> References: <200401131911.i0DJB4hL066312@www.freebsd.org> <Pine.BSF.4.53.0401131938160.30149@e0-0.zab2.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Zitiere Bjoern A. Zeeb vom Tue, Jan 13, 2004 at 07:42:46PM +0000: > On Tue, 13 Jan 2004, Dierk Sacher wrote: > > > >Fix: > > No known fix, but the isakmp traffic should not have been blocked. > > A none policy for udp/500 does not work around the bug, it just crashes too > > Can you please try the patches mentioned in > http://lists.freebsd.org/pipermail/freebsd-current/2004-January/018084.html Thank you for the pointer. I applied all the patches and from a lazy testing I'm able to confirm that the related crashes und panics are gone. I'll continue to stress the whole setup over the next days and inform you, if there are any upcoming stability issues or the like. The handling of the IKE pakets is still broken. Beyond a now accepteable workaround, the "manual" handling of the IKE Traffic will lead us into a chicken-and-egg problem and should better be implemented the way its supposed to be. Said patches should be listed in the Fix Section of the PR. (My job? No experience with PRs so far). Gruss Dierk Sacher -- |----+----|----+----|----+----|----+----|----+----|----+----|----+----|--< GPG Fingerprint: D14C 12BB 37A6 6745 7F4F F420 9E59 D79E A492 2A96 GPG KeyID : A4922A96 +------------------------------------------------------------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040113235731.GC63076>