kern/61323: KAME IPSEC broken, IKE not excluded from policy,
crashes
Dierk Sacher
dierk at blaxxtarz.de
Tue Jan 13 16:00:44 PST 2004
The following reply was made to PR kern/61323; it has been noted by GNATS.
From: Dierk Sacher <dierk at blaxxtarz.de>
To: "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net>
Cc: freebsd-gnats-submit at FreeBSD.org, freebsd-bugs at FreeBSD.org
Subject: Re: kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes
Date: Wed, 14 Jan 2004 00:57:31 +0100
Zitiere Bjoern A. Zeeb vom Tue, Jan 13, 2004 at 07:42:46PM +0000:
> On Tue, 13 Jan 2004, Dierk Sacher wrote:
>
> > >Fix:
> > No known fix, but the isakmp traffic should not have been blocked.
> > A none policy for udp/500 does not work around the bug, it just crashes too
>
> Can you please try the patches mentioned in
> http://lists.freebsd.org/pipermail/freebsd-current/2004-January/018084.html
Thank you for the pointer. I applied all the patches and from a lazy
testing I'm able to confirm that the related crashes und panics are gone.
I'll continue to stress the whole setup over the next days and inform
you, if there are any upcoming stability issues or the like.
The handling of the IKE pakets is still broken. Beyond a now accepteable
workaround, the "manual" handling of the IKE Traffic will lead us into a
chicken-and-egg problem and should better be implemented the way its
supposed to be.
Said patches should be listed in the Fix Section of the PR. (My job? No
experience with PRs so far).
Gruss
Dierk Sacher
--
|----+----|----+----|----+----|----+----|----+----|----+----|----+----|--<
GPG Fingerprint: D14C 12BB 37A6 6745 7F4F F420 9E59 D79E A492 2A96
GPG KeyID : A4922A96
+------------------------------------------------------------------------+
More information about the freebsd-bugs
mailing list