Date: Wed, 5 Mar 2008 10:56:36 GMT From: Cyrus Rahman <crahman@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/121384: New IPSEC fails to obey policy levels Message-ID: <200803051056.m25Auaek054966@www.freebsd.org> Resent-Message-ID: <200803051100.m25B03i2058070@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121384
>Category: kern
>Synopsis: New IPSEC fails to obey policy levels
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 05 11:00:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Cyrus Rahman
>Release: 7.0-RELEASE
>Organization:
>Environment:
FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #7: Wed Mar 5 00:48:02 MST 2008 cr@snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA i386
>Description:
IPSEC policies include a level: default, use, require, or unique. A level of 'use' should mean that the kernel will use an SA if available, otherwise it should pass the packet as it would normally. However, with the new IPSEC this level is ignored and packets are discarded if the SA is not available.
>How-To-Repeat:
Between two hosts with no security associations and which are not running anything to set up such associations, check for connectivity with ping:
>From hostA:
root# ping hostB
...echo replies
Install a policy like this on hostA:
spdadd -4 hostA hostB any -P out ipsec
esp/transport//use;
spdadd -4 hostB hostA any -P in ipsec
esp/transport//use;
Things should continue to work, however:
root# ping hostB
ping: sendto: Invalid argument
ping: sendto: Invalid argument
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803051056.m25Auaek054966>