[Bug 192774] New: PF_KEY ACQUIRE missing port and protocol info

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774

            Bug ID: 192774
           Summary: PF_KEY ACQUIRE missing port and protocol info
           Product: Base System
           Version: 10.0-STABLE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: john at feith.com

Created attachment 145951
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=145951&action=edit
patch for problem.

Consider an IPSEC policy such as:

 spdadd 0.0.0.0/0 XXX.XXX.XXX.XXX/32[1701] udp -P out ipsec
   esp/transport//require;
 spdadd XXX.XXX.XXX.XXX/32[1701] 0.0.0.0/0 udp -P in ipsec
   esp/transport//require;

When triggered it sends a PF_KEY ACQUIRE message that causes ISAKMP 
negotiations to occur with the remote.  Unfortunately the key_acquire 
routine in sys/netipsec/key.c doesn't contain any code to propagate 
the port / protocol information as part of the ACQUIRE message ... as 
a result racoon sees an ACQUIRE message for all traffic to the remote
system and supplies that as the proposal which fails since the remote 
system is only willing to protect L2TP with IPSEC ... not all traffic.

Note that RFC 2367 3.1.6 SADB_ACQUIRE says:

  The address(SD) extensions MUST have the port fields
  filled in with the port numbers of the session requiring
  keys if appropriate.

With the supplied patch I'm able to successfully establish a L2TP protected
by IPSEC connection from FreeBSD 10-stable to a Cisco 3845 router.

-- 
You are receiving this mail because:
You are the assignee for the bug.