[Bug 273533] need to sleep before using IPsec tunnel
Date: Sat, 02 Sep 2023 23:20:29 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273533
Bug ID: 273533
Summary: need to sleep before using IPsec tunnel
Product: Base System
Version: 13.2-STABLE
Hardware: arm64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: andrew.cagney@gmail.com
Given a just established IPsec connection using Libreswan (mainline) with
FreeBSD as the negotiation initiator I'm finding that an attempt to ping the
peer fails. Here's an extract from a test:
west# ipsec add interop
002 "interop": added IKEv2 connection
west# ipsec up interop
1v2 "interop" #1: initiating IKEv2 connection
1v2 "interop" #1: sent IKE_SA_INIT request to 192.1.2.23:500
1v2 "interop" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a
prf=HMAC_SHA2_512 group=MODP2048}
003 "interop" #1: initiator established IKE SA; authenticated peer using
authby=secret and ID_FQDN '@east'
004 "interop" #2: initiator established Child SA using #1; IPsec tunnel
[192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0]
{ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
west# ../../guestbin/ipsec-kernel-policy.sh
192.0.2.0/24[any] 192.0.1.0/24[any] any
in ipsec
esp/tunnel/192.1.2.23-192.1.2.45/require
spid=1 seq=1 pid=PID scope=global
refcnt=1
192.0.1.0/24[any] 192.0.2.0/24[any] any
out ipsec
esp/tunnel/192.1.2.45-192.1.2.23/require
spid=2 seq=0 pid=PID scope=global
refcnt=1
west# ../../guestbin/ipsec-kernel-state.sh
192.1.2.45 192.1.2.23
esp mode=any spi=SPISPI(0xSPISPI) reqid=16389(0x00004005)
E: aes-gcm-16 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
seq=0x00000000 replay=16 flags=0x00000000 state=mature
created: TIMESTAMP current: TIMESTAMP
diff: N(s) hard: 28800(s) soft: 28800(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=PID refcnt=1
192.1.2.23 192.1.2.45
esp mode=any spi=SPISPI(0xSPISPI) reqid=16389(0x00004005)
E: aes-gcm-16 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
seq=0x00000000 replay=16 flags=0x00000000 state=mature
created: TIMESTAMP current: TIMESTAMP
diff: N(s) hard: 28800(s) soft: 28800(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=PID refcnt=1
west# ../../guestbin/wait-for.sh --match interop -- ipsec trafficstatus
006 #2: "interop", type=ESP, add_time=1234567890, id='@east'
west# ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
unexpected status 4
fping -c 1 --timeout 5s --src 192.0.1.254 192.0.2.254
fping error: not enough sequence numbers available!
(expire_timeout=10000000000, host_nr=0, ping_count=0, seqmap_next_id=0)
(I've no clue what fping is trying to tell me).
If a `sleep 5` is added before the `fping`, the puzzling behaviour goes away.
Here are some gory detail of the libreswan-kernel interaction:
=> assign an inbound SPI (192.1.2.23 -> 192.1.2.45) to send to the peer:
| sending pfkeyv2_get_ipsec_spi:
| sadb_msg @0x4fca65c9a10 version=2 type=1(SADB_GETSPI) errno=0
satype=3(SADB_SATYPE_ESP) len=12(96) reserved=0000 seq=4 pid=1124
| sadb_x_sa2 @0x4fca65c9a20 len=2(16) exttype=19(SADB_X_EXT_SA2)
mode=0(any!?!) reserved1=00 reserved2=0000 sequence=0 reqid=16389
| sadb_address @0x4fca65c9a30 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=32
| 192.1.2.23:0
| sadb_address @0x4fca65c9a48 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=32
| 192.1.2.45:0
| sadb_spirange @0x4fca65c9a60 len=2(16) exttype=16(SADB_EXT_SPIRANGE)
min=4096 max=4294967295 reserved=00000000
| read 80 bytes
| pfkeyv2_get_ipsec_spi:
| sadb_msg @0x4fca65b9a08 version=2 type=1(SADB_GETSPI) errno=0
satype=3(SADB_SATYPE_ESP) len=10(80) reserved=0000 seq=4 pid=1124
| sadb_sa @0x4fca65b9a18 len=2(16) exttype=1(SADB_EXT_SA)
spi=2683487713(9ff2c5e1) replay=0 state=0(SADB_SASTATE_LARVAL)
auth=0(SADB_AALG_NONE) encrypt=0 flags=0=none
| sadb_address @0x4fca65b9a28 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=32
| 192.1.2.23:0
| sadb_address @0x4fca65b9a40 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=32
| 192.1.2.45:0
=> install outbound SA (192.1.2.45 -> 192.1.2.23):
| sending pfkeyv2_add_sa:
| sadb_msg @0x4fca65c8860 version=2 type=3(SADB_ADD) errno=0
satype=3(SADB_SATYPE_ESP) len=24(192) reserved=0000 seq=5 pid=1124
| sadb_sa @0x4fca65c8870 len=2(16) exttype=1(SADB_EXT_SA)
spi=3169888898(bcf0aa82) replay=16 state=1(SADB_SASTATE_MATURE)
auth=0(SADB_AALG_NONE) encrypt=20(SADB_X_EALG_AESGCM16) flags=0=none
| sadb_x_sa2 @0x4fca65c8880 len=2(16) exttype=19(SADB_X_EXT_SA2)
mode=0(any!?!) reserved1=00 reserved2=0000 sequence=0 reqid=16389
| sadb_address @0x4fca65c8890 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=32
| 192.1.2.45:0
| sadb_address @0x4fca65c88a8 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=32
| 192.1.2.23:0
| sadb_key @0x4fca65c88c0 len=4(32) exttype=9(SADB_EXT_KEY_ENCRYPT) bits=160
reserved=0000
| sadb_lifetime @0x4fca65c88e0 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=28800 usetime=0
| sadb_lifetime @0x4fca65c8900 len=4(32) exttype=4(SADB_EXT_LIFETIME_SOFT)
allocations=0 bytes=0 addtime=28800 usetime=0
| read 160 bytes
| pfkeyv2_add_sa:
| sadb_msg @0x4fca65b8858 version=2 type=3(SADB_ADD) errno=0
satype=3(SADB_SATYPE_ESP) len=20(160) reserved=0000 seq=5 pid=1124
| sadb_sa @0x4fca65b8868 len=2(16) exttype=1(SADB_EXT_SA)
spi=3169888898(bcf0aa82) replay=16 state=1(SADB_SASTATE_MATURE)
auth=0(SADB_AALG_NONE) encrypt=20(SADB_X_EALG_AESGCM16) flags=0=none
| sadb_x_sa2 @0x4fca65b8878 len=2(16) exttype=19(SADB_X_EXT_SA2)
mode=0(any!?!) reserved1=00 reserved2=0000 sequence=0 reqid=16389
| sadb_address @0x4fca65b8888 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=32
| 192.1.2.45:0
| sadb_address @0x4fca65b88a0 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=32
| 192.1.2.23:0
| sadb_lifetime @0x4fca65b88b8 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=28800 usetime=0
| sadb_lifetime @0x4fca65b88d8 len=4(32) exttype=4(SADB_EXT_LIFETIME_SOFT)
allocations=0 bytes=0 addtime=28800 usetime=0
=> install inbound SA (192.1.2.23 -> 192.1.2.45):
| sending pfkeyv2_add_sa:
| sadb_msg @0x4fca65c8860 version=2 type=2(SADB_UPDATE) errno=0
satype=3(SADB_SATYPE_ESP) len=24(192) reserved=0000 seq=6 pid=1124
| sadb_sa @0x4fca65c8870 len=2(16) exttype=1(SADB_EXT_SA)
spi=2683487713(9ff2c5e1) replay=16 state=1(SADB_SASTATE_MATURE)
auth=0(SADB_AALG_NONE) encrypt=20(SADB_X_EALG_AESGCM16) flags=0=none
| sadb_x_sa2 @0x4fca65c8880 len=2(16) exttype=19(SADB_X_EXT_SA2)
mode=0(any!?!) reserved1=00 reserved2=0000 sequence=0 reqid=16389
| sadb_address @0x4fca65c8890 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=32
| 192.1.2.23:0
| sadb_address @0x4fca65c88a8 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=32
| 192.1.2.45:0
| sadb_key @0x4fca65c88c0 len=4(32) exttype=9(SADB_EXT_KEY_ENCRYPT) bits=160
reserved=0000
| sadb_lifetime @0x4fca65c88e0 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=28800 usetime=0
| sadb_lifetime @0x4fca65c8900 len=4(32) exttype=4(SADB_EXT_LIFETIME_SOFT)
allocations=0 bytes=0 addtime=28800 usetime=0
| read 160 bytes
| pfkeyv2_add_sa:
| sadb_msg @0x4fca65b8858 version=2 type=2(SADB_UPDATE) errno=0
satype=3(SADB_SATYPE_ESP) len=20(160) reserved=0000 seq=6 pid=1124
| sadb_sa @0x4fca65b8868 len=2(16) exttype=1(SADB_EXT_SA)
spi=2683487713(9ff2c5e1) replay=16 state=1(SADB_SASTATE_MATURE)
auth=0(SADB_AALG_NONE) encrypt=20(SADB_X_EALG_AESGCM16) flags=0=none
| sadb_x_sa2 @0x4fca65b8878 len=2(16) exttype=19(SADB_X_EXT_SA2)
mode=0(any!?!) reserved1=00 reserved2=0000 sequence=0 reqid=16389
| sadb_address @0x4fca65b8888 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=32
| 192.1.2.23:0
| sadb_address @0x4fca65b88a0 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=32
| 192.1.2.45:0
| sadb_lifetime @0x4fca65b88b8 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=28800 usetime=0
| sadb_lifetime @0x4fca65b88d8 len=4(32) exttype=4(SADB_EXT_LIFETIME_SOFT)
allocations=0 bytes=0 addtime=28800 usetime=0
=> install inbound policy:
| sending kernel_pfkeyv2_policy_add:
| sadb_msg @0x4fca65c8fa0 version=2 type=14(SADB_X_SPDADD) errno=0
satype=0(SADB_SATYPE_UNSPEC) len=19(152) reserved=0000 seq=7 pid=1124
| sadb_address @0x4fca65c8fb0 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=24
| 192.0.2.0:0
| sadb_address @0x4fca65c8fc8 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=24
| 192.0.1.0:0
| sadb_lifetime @0x4fca65c8fe0 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=0 usetime=0
| sadb_x_policy @0x4fca65c9000 len=7(56) exttype=18(SADB_X_EXT_POLICY)
type=2(IPSEC_POLICY_IPSEC) dir=1(IPSEC_DIR_INBOUND) scope=0 id=0
priority=1757393
| sadb_x_ipsecrequest @0x4fca65c9010 len=40(40) proto=50(IPSEC_PROTO_ESP)
mode=2(IPSEC_MODE_TUNNEL) level=2(IPSEC_LEVEL_REQUIRE) reqid=0
| 192.1.2.23:0
| 192.1.2.45:0
| read 152 bytes
| kernel_pfkeyv2_policy_add:
| sadb_msg @0x4fca65b8f98 version=2 type=14(SADB_X_SPDADD) errno=0
satype=0(SADB_SATYPE_UNSPEC) len=19(152) reserved=0000 seq=7 pid=1124
| sadb_x_policy @0x4fca65b8fa8 len=7(56) exttype=18(SADB_X_EXT_POLICY)
type=2(IPSEC_POLICY_IPSEC) dir=1(IPSEC_DIR_INBOUND) scope=0 id=1
priority=1757393
| sadb_x_ipsecrequest @0x4fca65b8fb8 len=40(40) proto=50(IPSEC_PROTO_ESP)
mode=2(IPSEC_MODE_TUNNEL) level=2(IPSEC_LEVEL_REQUIRE) reqid=0
| 192.1.2.23:0
| 192.1.2.45:0
| sadb_lifetime @0x4fca65b8fe0 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=0 usetime=0
| sadb_address @0x4fca65b9000 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=24
| 192.0.2.0:0
| sadb_address @0x4fca65b9018 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=24
| 192.0.1.0:0
=> install outbound policy:
| sending kernel_pfkeyv2_policy_add:
| sadb_msg @0x4fca65c9080 version=2 type=14(SADB_X_SPDADD) errno=0
satype=0(SADB_SATYPE_UNSPEC) len=19(152) reserved=0000 seq=8 pid=1124
| sadb_address @0x4fca65c9090 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=24
| 192.0.1.0:0
| sadb_address @0x4fca65c90a8 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=24
| 192.0.2.0:0
| sadb_lifetime @0x4fca65c90c0 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=0 usetime=0
| sadb_x_policy @0x4fca65c90e0 len=7(56) exttype=18(SADB_X_EXT_POLICY)
type=2(IPSEC_POLICY_IPSEC) dir=2(IPSEC_DIR_OUTBOUND) scope=0 id=0
priority=1757393
| sadb_x_ipsecrequest @0x4fca65c90f0 len=40(40) proto=50(IPSEC_PROTO_ESP)
mode=2(IPSEC_MODE_TUNNEL) level=2(IPSEC_LEVEL_REQUIRE) reqid=0
| 192.1.2.45:0
| 192.1.2.23:0
| read 152 bytes
| kernel_pfkeyv2_policy_add:
| sadb_msg @0x4fca65b9078 version=2 type=14(SADB_X_SPDADD) errno=0
satype=0(SADB_SATYPE_UNSPEC) len=19(152) reserved=0000 seq=8 pid=1124
| sadb_x_policy @0x4fca65b9088 len=7(56) exttype=18(SADB_X_EXT_POLICY)
type=2(IPSEC_POLICY_IPSEC) dir=2(IPSEC_DIR_OUTBOUND) scope=0 id=2
priority=1757393
| sadb_x_ipsecrequest @0x4fca65b9098 len=40(40) proto=50(IPSEC_PROTO_ESP)
mode=2(IPSEC_MODE_TUNNEL) level=2(IPSEC_LEVEL_REQUIRE) reqid=0
| 192.1.2.45:0
| 192.1.2.23:0
| sadb_lifetime @0x4fca65b90c0 len=4(32) exttype=3(SADB_EXT_LIFETIME_HARD)
allocations=0 bytes=0 addtime=0 usetime=0
| sadb_address @0x4fca65b90e0 len=3(24) exttype=5(SADB_EXT_ADDRESS_SRC)
proto=255 prefixlen=24
| 192.0.1.0:0
| sadb_address @0x4fca65b90f8 len=3(24) exttype=6(SADB_EXT_ADDRESS_DST)
proto=255 prefixlen=24
| 192.0.2.0:0
--
You are receiving this mail because:
You are the assignee for the bug.