Date: Tue, 4 Apr 2017 09:24:19 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Mike Tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, svn-src-stable-11@freebsd.org Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... Message-ID: <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru> In-Reply-To: <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> References: <201703182204.v2IM4Kfj060263@repo.freebsd.org> <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn
Content-Type: multipart/mixed; boundary="sINK6MxKdnsg4mOk76UN1CQl8orjXGKtX";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Mike Tancsa <mike@sentex.net>,
FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>,
svn-src-stable-11@freebsd.org
Message-ID: <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru>
Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec
sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern
sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
References: <201703182204.v2IM4Kfj060263@repo.freebsd.org>
<7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>
In-Reply-To: <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>
--sINK6MxKdnsg4mOk76UN1CQl8orjXGKtX
Content-Type: multipart/mixed;
boundary="------------824A5776AE161D140B7137A1"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------824A5776AE161D140B7137A1
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 04.04.2017 00:39, Mike Tancsa wrote:
> Hi,
> I ran into a strange problem when migrating a box that makes use of tc=
p
> md5 signatures. Having these two policies that have IPs which happen to=
> be 128 octets apart get rejected
It seems you have encrypted your config, because I don't see IP with 128
octets :)
One question, does this even worked before?
You have many SAs with the same destination address, it seems to me,
that this should not work with old IPsec code, because it uses SA
lookups using only destination address. So, if you have not the same
password for each SA, it should not work.
Can you try the attached patch?
--=20
WBR, Andrey V. Elsukov
--------------824A5776AE161D140B7137A1
Content-Type: text/x-patch;
name="key.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="key.diff"
Index: sys/netipsec/key.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netipsec/key.c (revision 316434)
+++ sys/netipsec/key.c (working copy)
@@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
kdebug_secash(sah, " "));
if (sah->saidx.proto !=3D IPPROTO_TCP)
continue;
- if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+ if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+ !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah !=3D NULL) {
@@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32
LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
if (sah->saidx.proto !=3D IPPROTO_TCP)
continue;
- if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+ if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+ !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
break;
}
if (sah !=3D NULL) {
--------------824A5776AE161D140B7137A1--
--sINK6MxKdnsg4mOk76UN1CQl8orjXGKtX--
--1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljjPBMACgkQAcXqBBDI
oXqGfggAnrE7KqKxB5W5OvSc949/q5H61gnyFoPjxR1J/fJwj8z9Q0RuxCd4f8YI
z7NFFQk+QcovwilV0Lu4ovuvabBUfd3kgBJy3EixxrpcYJ8x28S43IOd4J8NsvjF
BN1hSLyPhNgXwDxIiN15YjJ/eHREJH5vYubW/MJo0BjEGqDz84MfefjeIWqScn6d
cSqAgGwScLZUAJ3U0DZHJIVxquarbgqvWgomRCAhybJpNVjLWvLWTKq3Oqq+sXlY
6+o1Spa+jqYfVGzh/O5cY3Jgz3j37D9I5zpS8yWC+XaH9cc9Nf3eNBZdMPps6O8h
nRxD4jPX5nRU20t51ktw3a1rpFsfEQ==
=nkkO
-----END PGP SIGNATURE-----
--1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cdff758c-e7d7-d22d-512e-2137ba70e78a>