kern/81095: IPsec connection stops working if associated network
interface goes down and then up again.
ari at suutari.iki.fi
Mon May 16 07:10:03 GMT 2005
>Synopsis: IPsec connection stops working if associated network interface goes down and then up again.
>Arrival-Date: Mon May 16 07:10:02 GMT 2005
>Originator: Ari Suutari
>Release: FreeBSD 5.4-RELEASE i386
FreeBSD poison2.syncrontech.com 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri May 13 09:13:34 EEST 2005 root at poison2.syncrontech.com:/usr/src/sys/i386/compile/POISON i386
IPsec VPN tunnel stops working after associated network interface
goes down and then back up again (which can happen with
networks using tun device, for example). When the network interface
goes down, IPsec stack updates it's cached route to use system default
route. However, when the interface comes back again the cached
route is not updated to use that interface again.
Create a setup of 3 machines:
A: "remote server"
B: IPsec VPN server, use 5.4-RELEASE here
C: "local workstation"
Build a network between A and B which uses tun device (ppp or vtund).
Set up racoon and ipsec policies so that traffic from C to A is
transmitted via VPN tunnel. Start pinging A from C. Cause somekind of
problems between A and B which causes the tun device to go down.
Fix the temporary problem. Although the tun device goes now up,
the vpn never recovers and ping doesn't work any more.
Somehow updated or invalidate sa_route field (updated at least
in netinet6/ipsec.c now) when routing table changes. As a temporary
workaround, I have modified ipsec.c so that it always calls
rtalloc to ensure valid route.
More information about the freebsd-bugs