Date: Thu, 12 May 2005 09:21:32 +0300 From: Ari Suutari <ari@suutari.iki.fi> To: freebsd-net@freebsd.org Subject: IPSEC traffic doesn't work realiably after upgrading from 4.11 to 5.4 Message-ID: <4282F5EC.6060902@suutari.iki.fi>
next in thread | raw e-mail | index | archive | help
Hi, I have upgraded a vpn server from FreeBSD 4.11 to 5.4-RELEASE. The box as about 20 vpn connections to other FreeBSD machines, the physical connection is via tun0 ... tun20 devices. Traffic flow is something like this: my internal net -> vpn server em1 -> vpn server ipsec -> vpn server tun0 -> vpn server em0 -> internet -> remote freebsd fxp0 -> remote freebsd tun0 -> remote freebsd ipsec -> remote net Remote FreeBSD box is still running 4.11. Ipsec is the kame version, not FAST_IPSEC. (tun0 stuff is created by vtun software, which is used to get around various restrictions, like ISP providing private addresses only). This has been working very well for years under FreeBSD 4.x. After upgrading to 5.4, things seem to work at first. However, when physical connection has problems, causing tun0 device to go temporarily down on server the vpn never recovers from it. When tun0 comes up back again, IPsec SAs seem to be valid on both sides. Non-ipsec traffic works without problems over tun0 as does *incoming* ipsec traffic from remote FreeBSD box. Outgoing ipsec packets seem to vanish completely. It seems that the problem can also be triggered by running ifconfig tun0 down && ifconfig tun0 up. netstat -s -p ipsec doesn't show any errors. To recover from situation, issuing setkey -F to flush all SAs helps. Flushing only the SAs related to this connection does not help, neither does removing related policies and adding them again. I would'n like to go back to 4.x series, so I'm looking for fix/workaround for this. Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4282F5EC.6060902>