ipsec kernel panic

[VANHULLEBUS Yvan]

User-Agent: All mail clients suck. This one just sucks less.

On Mon, Jun 25, 2012 at 07:34:25AM +0300, mbsd wrote:
> Hi stable users.

Hi.


> Like this good guy:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=159629&cat=
> I'm bad guy also have kernel panic.
>1;2802;0c Maybe it's doesn't matter good or bad gay you are.
> 
> It happened first time around Freebsd 9 ~ beta 2 or three. I don't
> remember exactly.
> 
> All what I have is
> 
> ?? ~ ??? cat /etc/ipsec.conf
> add 192.168.0.2 192.168.0.1 esp 10022 -E blowfish-cbc "dododo";
> add 192.168.0.1 192.168.0.2 esp 10020 -E blowfish-cbc dododo;
> 
> add 192.168.0.2 192.168.0.1 ah 10007 -A hmac-md5 "dododo";
> add 192.168.0.1 192.168.0.2 ah 10006 -A hmac-md5 "dododo";
> 
> # for internet
> spdadd 0.0.0.0/0 192.168.0.2 any -P in ipsec
> esp/tunnel/192.168.0.1-192.168.0.2/require ah/transport//require;
> spdadd 192.168.0.2 0.0.0.0/0 any -P out ipsec
> esp/tunnel/192.168.0.2-192.168.0.1/require ah/transport//require;
> 
> After service ipsec start I always have kernel panic on stable.

This will *not* solve the crash, but do you really need such IPsec
configuration with both ESP/tunnel and AH/transport ?

Most people who use such configuration just wants in fact ESP/Tunnel
with payload authentication, which will be done by that:


add 192.168.0.2 192.168.0.1 esp 10022 -E blowfish-cbc "dododo" -A hmac-md5 "dododo";
add 192.168.0.1 192.168.0.2 esp 10020 -E blowfish-cbc dododo -A hmac-md5 "dododo";
(if you do really use static SAs, please also consider moving to an
IKE daemon...)


spdadd 0.0.0.0/0 192.168.0.2 any -P in ipsec
 esp/tunnel/192.168.0.1-192.168.0.2/require;
spdadd 192.168.0.2 0.0.0.0/0 any -P out ipsec
 esp/tunnel/192.168.0.2-192.168.0.1/require;


If you do not really need AH, then you can move to this configuration,
and confirm us that you don't have the crash anymore.

Of course, as I already said, the issue will still be in the code....



Yvan.