IPSEC broken (FAST_IPSEC works)?
Alexander Leidinger
Alexander at Leidinger.net
Thu Aug 5 13:29:58 PDT 2004
Hi,
I've replaced a 4.10 server with a 5-current (Jul 18, without
PREEMPTION, with MSIZE=512) one. Both have the same IPSEC config
(kernel, setkey, racoon, gif). But the 5-current one isn't able to
transfer data over the VPN (no ping, no telnet to a port on a host on
the other side of the tunnel).
Racoon is able to negotiate a connection:
---snip---
# setkey -D
No SAD entries.
# ping host_behind_b:
[waiting long enough, but no output]
[ctrl-c]
# setkey -D
a b
esp mode=tunnel spi=3635833369(0xd8b66a19) reqid=0(0x00000000)
E: 3des-cbc 11d159c7 53846874 895eacfd 66074dc4 36350ac2 f09fe17a
A: hmac-md5 bf041de9 225ebf60 dac19d00 23653b39
seq=0x00000002 replay=4 flags=0x00000000 state=mature
created: Aug 5 22:10:27 2004 current: Aug 5 22:10:30 2004
diff: 3(s) hard: 300(s) soft: 240(s)
last: Aug 5 22:10:28 2004 hard: 0(s) soft: 0(s)
current: 272(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2 hard: 0 soft: 0
sadb_seq=1 pid=561 refcnt=2
b a
esp mode=tunnel spi=116056914(0x06eae352) reqid=0(0x00000000)
E: 3des-cbc 053d94f1 edef8617 69d25dca e69ec7db ad3c9a1a 0838a24c
A: hmac-md5 04d024d9 96b2c61e 6ecc79e4 f2393bc4
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Aug 5 22:10:27 2004 current: Aug 5 22:10:30 2004
diff: 3(s) hard: 300(s) soft: 240(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=561 refcnt=1
---snip---
tcpdump while doing a "ping host_behind_b":
---snip---
21:43:53.966704 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:43:55.112454 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E]
21:43:55.120021 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:44:55.331956 IP b.500 > a.500: isakmp: phase 2/others ? inf[E]
21:47:14.475946 IP a > b: ESP(spi=0x754e1e4d,seq=0x1)
21:47:14.484644 IP b > a: ESP(spi=0x03a777cb,seq=0x1)
21:47:15.483319 IP a > b: ESP(spi=0x754e1e4d,seq=0x2)
21:47:15.489887 IP b > a: ESP(spi=0x03a777cb,seq=0x2)
21:47:16.493331 IP a > b: ESP(spi=0x754e1e4d,seq=0x3)
21:47:16.499916 IP b > a: ESP(spi=0x03a777cb,seq=0x3)
21:47:17.503348 IP a > b: ESP(spi=0x754e1e4d,seq=0x4)
21:47:17.514614 IP b > a: ESP(spi=0x03a777cb,seq=0x4)
21:47:18.513362 IP a > b: ESP(spi=0x754e1e4d,seq=0x5)
21:47:18.520057 IP b > a: ESP(spi=0x03a777cb,seq=0x5)
21:47:56.970054 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:47:58.115081 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E]
21:47:58.122636 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:49:00.330423 IP b.500 > a.500: isakmp: phase 2/others ? inf[E]
21:53:00.318424 IP b.500 > a.500: isakmp: phase 2/others ? inf[E]
---snip---
tcpdump on the gif interface shows nothing.
"netstat -s -p ipsec" reports:
---snip---
ipsec:
106 inbound packets processed successfully
0 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
ESP input histogram:
3des-cbc: 106
102 outbound packets processed successfully
0 outbound packets violated process security policy
5 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
ESP output histogram:
3des-cbc: 102
7526 SPD cache lookups
3235 SPD cache misses
---snip---
A kernel with FAST_IPSEC instead of IPSEC works as expected (ping
reports the round trip time, tcpdump shows traffic on the gif interface
and a quick test with telnet to a port on host_behind_b shows the
expected output).
The system is supposed to go into production soon, so I can't guarantee
I can do "expensive" tests if someone comes up with a patch or needs
some data which is only available if IPSEC instead of FAST_IPSEC is
used.
Bye,
Alexander.
--
I'm available to get hired (preferred in .lu).
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
More information about the freebsd-current
mailing list