Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Jan 2004 11:11:04 -0800 (PST)
From:      Dierk Sacher <usenet@blaxxtarz.de>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:    kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes
Message-ID:  <200401131911.i0DJB4hL066312@www.freebsd.org>
Resent-Message-ID: <200401131920.i0DJK9ce012878@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         61323
>Category:       kern
>Synopsis:       KAME IPSEC broken, IKE not excluded from policy, crashes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 13 11:20:08 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dierk Sacher
>Release:        5.2-RELEASE
>Organization:
DSITC
>Environment:
FreeBSD luxxor 5.2-RELEASE FreeBSD 5.2-RELEASE #1: Tue Jan 13 14:43:58 CET 2004 root@luxxor:/usr/obj/usr/src/sys/LUXXOR i386
>Description:
IPSEC not working with automatic keying. No ISAKMP packet happens to leave the machine after the spd is setup. After a while the machine goes down with a panic or just hangs.

Problem is exactly as already described by
http://lists.freebsd.org/pipermail/freebsd-current/2003-December/016939.html

>How-To-Repeat:
a) build Kernel with
  options IPSEC
  options IPSEC_ESP

b) setup racoon for automatic key exchange
c) setup policy like (esp tunnel)
  spdadd 192.168.1.1/32 0.0.0.0/0 any -P out ipsec 
    esp/tunnel/192.168.1.1-192.168.1.254/require;
  spdadd 0.0.0.0/0 192.168.1.1/0 any -P in ipsec 
    esp/tunnel/192.168.1.1-192.168.1.254/require;

Now, ping the gateway or some other machine. Watch tcpdump output at the gateway: no isakmp traffic at all from the broken 5.2-RELEASE box.

After a while, you may experience even a panic or it just hangs. May be you will have to call setkey -D -F for the crash to happen.




>Fix:
No known fix, but the isakmp traffic should not have been blocked.
A none policy for udp/500 does not work around the bug, it just crashes too
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401131911.i0DJB4hL066312>