kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes
Dierk Sacher
usenet at blaxxtarz.de
Tue Jan 13 11:20:20 PST 2004
>Number: 61323
>Category: kern
>Synopsis: KAME IPSEC broken, IKE not excluded from policy, crashes
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 13 11:20:08 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Dierk Sacher
>Release: 5.2-RELEASE
>Organization:
DSITC
>Environment:
FreeBSD luxxor 5.2-RELEASE FreeBSD 5.2-RELEASE #1: Tue Jan 13 14:43:58 CET 2004 root at luxxor:/usr/obj/usr/src/sys/LUXXOR i386
>Description:
IPSEC not working with automatic keying. No ISAKMP packet happens to leave the machine after the spd is setup. After a while the machine goes down with a panic or just hangs.
Problem is exactly as already described by
http://lists.freebsd.org/pipermail/freebsd-current/2003-December/016939.html
>How-To-Repeat:
a) build Kernel with
options IPSEC
options IPSEC_ESP
b) setup racoon for automatic key exchange
c) setup policy like (esp tunnel)
spdadd 192.168.1.1/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.1.1-192.168.1.254/require;
spdadd 0.0.0.0/0 192.168.1.1/0 any -P in ipsec
esp/tunnel/192.168.1.1-192.168.1.254/require;
Now, ping the gateway or some other machine. Watch tcpdump output at the gateway: no isakmp traffic at all from the broken 5.2-RELEASE box.
After a while, you may experience even a panic or it just hangs. May be you will have to call setkey -D -F for the crash to happen.
>Fix:
No known fix, but the isakmp traffic should not have been blocked.
A none policy for udp/500 does not work around the bug, it just crashes too
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list