From owner-freebsd-bugs@FreeBSD.ORG  Tue Jan 13 11:20:20 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4E60816A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 13 Jan 2004 11:20:20 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2C59F43D66
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 13 Jan 2004 11:20:09 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0DJK9FR012879	for <freebsd-bugs@freefall.freebsd.org>;
	Tue, 13 Jan 2004 11:20:09 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0DJK9ce012878;
	Tue, 13 Jan 2004 11:20:09 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Tue, 13 Jan 2004 11:20:09 -0800 (PST)
Resent-Message-Id: <200401131920.i0DJK9ce012878@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dierk Sacher <usenet@blaxxtarz.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F055F16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 13 Jan 2004 11:11:24 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B72443D69
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 13 Jan 2004 11:11:04 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i0DJB4dL066313
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 13 Jan 2004 11:11:04 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i0DJB4hL066312;
	Tue, 13 Jan 2004 11:11:04 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200401131911.i0DJB4hL066312@www.freebsd.org>
Date: Tue, 13 Jan 2004 11:11:04 -0800 (PST)
From: Dierk Sacher <usenet@blaxxtarz.de>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.0
Subject: 
	kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2004 19:20:20 -0000


>Number:         61323
>Category:       kern
>Synopsis:       KAME IPSEC broken, IKE not excluded from policy, crashes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 13 11:20:08 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Dierk Sacher
>Release:        5.2-RELEASE
>Organization:
DSITC
>Environment:
FreeBSD luxxor 5.2-RELEASE FreeBSD 5.2-RELEASE #1: Tue Jan 13 14:43:58 CET 2004 root@luxxor:/usr/obj/usr/src/sys/LUXXOR i386
>Description:
IPSEC not working with automatic keying. No ISAKMP packet happens to leave the machine after the spd is setup. After a while the machine goes down with a panic or just hangs.

Problem is exactly as already described by
http://lists.freebsd.org/pipermail/freebsd-current/2003-December/016939.html

>How-To-Repeat:
a) build Kernel with
  options IPSEC
  options IPSEC_ESP

b) setup racoon for automatic key exchange
c) setup policy like (esp tunnel)
  spdadd 192.168.1.1/32 0.0.0.0/0 any -P out ipsec 
    esp/tunnel/192.168.1.1-192.168.1.254/require;
  spdadd 0.0.0.0/0 192.168.1.1/0 any -P in ipsec 
    esp/tunnel/192.168.1.1-192.168.1.254/require;

Now, ping the gateway or some other machine. Watch tcpdump output at the gateway: no isakmp traffic at all from the broken 5.2-RELEASE box.

After a while, you may experience even a panic or it just hangs. May be you will have to call setkey -D -F for the crash to happen.




>Fix:
No known fix, but the isakmp traffic should not have been blocked.
A none policy for udp/500 does not work around the bug, it just crashes too
>Release-Note:
>Audit-Trail:
>Unformatted: