IPsec crash, patch for review
vanhu at FreeBSD.org
Tue Jun 23 07:54:13 UTC 2009
On Sat, Jun 20, 2009 at 08:02:13PM -0400, Chris Buechler wrote:
> VANHULLEBUS Yvan wrote:
> We tried this patch on 7.2 (with patch-natt-7.2-2009-05-12.diff from
> your ~) due to a seemingly similar problem, but IPsec stops working with
> the patch applied. Using test setup:
> Host A -- fwA -- fwB -- Host B
> where fwA has the patch and fwB is the same 7.2 minus this patch, and
> there is an IPsec connection between fwA and fwB. It brings up the
> connection no problem, and if I leave a constant ping going, every time
> I restart racoon on fwA I get exactly one response through.
Bjoern reported me that the actual patch will break things on IPv6
(another patch will be posted soon which should solve this problem),
are you in a full IPv4 world, ordo you have some IPv6 + IPsec
> From tcpdump on enc0 on both ends and the actual NICs, I see that
> traffic from Host B to Host A gets all the way through the tunnel to
> Host A, it responds, the response is seen on fwA's LAN port, but it
> doesn't hit enc0. Traffic from Host A to Host B is seen on the LAN port
> of fwA, but not on enc0 and not on enc0 of the remote side.
> Replace the kernel on fwA with one minus the patch and it works fine
> (except it will spontaneously reboot under high load).
> That's with patch-xform_freespfix-3. Should that work with 7.2 in
> combination with the NAT-T patch? It applies cleanly.
Pathc has been done against TRUNK, but it is probably exactly the same
for 7.2. And yes, we're using it in combination with NAT-T patch.
Can you test again with an INVARIANT kernel, which (I hope) will raise
any locking issue ?
Thanks for the report,
More information about the freebsd-net