Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Apr 2004 15:54:32 -0700 (PDT)
From:      Timothy Ham <tham@nth-order.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/65474: IPSEC filters outbound ISAKMP traffic  and IPSEC negotiation fails.
Message-ID:  <200404122254.i3CMsWEi004062@www.freebsd.org>
Resent-Message-ID: <200404122300.i3CN0kZK031103@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         65474
>Category:       kern
>Synopsis:       IPSEC filters outbound ISAKMP traffic  and IPSEC negotiation fails.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 12 16:00:45 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Timothy Ham
>Release:        5.2.1-RELEASE-p3
>Organization:
>Environment:
FreeBSD atta.nth-order.com 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #1: Sat Mar 20 18:50:16 PST 2004     tham@atta.nth-order.com:/usr/obj/usr/src/sys/ATTAB  i386
      
>Description:
ISAKMP traffic on port 500 which should not be affected by IPSEC policy is, and only on the outbound side.  During key negotiations, the kernel should allow unencrypted key-exachange packets on port 500 between the hosts.  Even with the "require" policy, these packets should be allowed to go through (initial key exchange must occur in the clear).  In FreeBSD version 5.1 the kernel performs the correct behavior.  Since 5.2-Release, and subsequenent patches (up to 5.2.1-p3) the kernel silently drops outgoing key-exchange packets, and *only* the outgoing packets, and thus IPSEC negotiation fails.
>How-To-Repeat:
Set up IPSEC between two machines (IPSEC in the kernel, running Racoon)
Set up a tunnel between them, using esp and the "use" policy on both.
Monitor racoon debug output and tcpdump.

With the "use" policy, the key negotiations should take place and ipsec negotiations will succeed.  

Change the tunnel setting on one of the machine and change the policy to "require".

Now, racoon and tcpdump will should that the machine with "use" policy (call it machine A) sends out the proper request.  When the machine with the "require" policy (call it machine B) responds, racoon on B will show that it is replying to machine A's key-exchange request with its own response, but tcpdump will show no packets from machine B.  Consequently machine A will fail IPSEC negotiations complaining it did not receive any response from B.
>Fix:
Un-safe workaround: instead of "require" policy, use "use".  
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404122254.i3CMsWEi004062>