Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 May 2005 10:02:50 +0300 (EEST)
From:      Ari Suutari <ari@suutari.iki.fi>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/81095: IPsec connection stops working if associated network interface goes down and then up again.
Message-ID:  <200505160702.j4G72o2M073300@guinness.syncrontech.com>
Resent-Message-ID: <200505160710.j4G7A2QB094193@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         81095
>Category:       kern
>Synopsis:       IPsec connection stops working if associated network interface goes down and then up again.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 16 07:10:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Ari Suutari
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
FreeBSD poison2.syncrontech.com 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri May 13 09:13:34 EEST 2005     root@poison2.syncrontech.com:/usr/src/sys/i386/compile/POISON  i386

>Description:

IPsec VPN tunnel stops working after associated network interface
goes down and then back up again (which can happen with 
networks using tun device, for example). When the network interface
goes down, IPsec stack updates it's cached route to use system default
route. However, when the interface comes back again the cached
route is not updated to use that interface again.

>How-To-Repeat:

Create a setup of 3 machines:

A: "remote server"
B: IPsec VPN server, use 5.4-RELEASE here
C: "local workstation"

Build a network between A and B which uses tun device (ppp or vtund).
Set up racoon and ipsec policies so that traffic from C to A is
transmitted via VPN tunnel. Start pinging A from C. Cause somekind of
problems between A and B which causes the tun device to go down.
Fix the temporary problem. Although the tun device goes now up,
the vpn never recovers and ping doesn't work any more.

>Fix:

Somehow updated or invalidate sa_route field (updated at least
in netinet6/ipsec.c now) when routing table changes. As a temporary
workaround, I have modified ipsec.c so that it always calls
rtalloc to ensure valid route.


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505160702.j4G72o2M073300>