Date: Tue, 13 Jan 2004 11:11:04 -0800 (PST) From: Dierk Sacher <usenet@blaxxtarz.de> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes Message-ID: <200401131911.i0DJB4hL066312@www.freebsd.org> Resent-Message-ID: <200401131920.i0DJK9ce012878@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 61323 >Category: kern >Synopsis: KAME IPSEC broken, IKE not excluded from policy, crashes >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 13 11:20:08 PST 2004 >Closed-Date: >Last-Modified: >Originator: Dierk Sacher >Release: 5.2-RELEASE >Organization: DSITC >Environment: FreeBSD luxxor 5.2-RELEASE FreeBSD 5.2-RELEASE #1: Tue Jan 13 14:43:58 CET 2004 root@luxxor:/usr/obj/usr/src/sys/LUXXOR i386 >Description: IPSEC not working with automatic keying. No ISAKMP packet happens to leave the machine after the spd is setup. After a while the machine goes down with a panic or just hangs. Problem is exactly as already described by http://lists.freebsd.org/pipermail/freebsd-current/2003-December/016939.html >How-To-Repeat: a) build Kernel with options IPSEC options IPSEC_ESP b) setup racoon for automatic key exchange c) setup policy like (esp tunnel) spdadd 192.168.1.1/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.1.1-192.168.1.254/require; spdadd 0.0.0.0/0 192.168.1.1/0 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.254/require; Now, ping the gateway or some other machine. Watch tcpdump output at the gateway: no isakmp traffic at all from the broken 5.2-RELEASE box. After a while, you may experience even a panic or it just hangs. May be you will have to call setkey -D -F for the crash to happen. >Fix: No known fix, but the isakmp traffic should not have been blocked. A none policy for udp/500 does not work around the bug, it just crashes too >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401131911.i0DJB4hL066312>