[Bug 192774] New: PF_KEY ACQUIRE missing port and protocol info
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 18 04:08:20 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774
Bug ID: 192774
Summary: PF_KEY ACQUIRE missing port and protocol info
Product: Base System
Version: 10.0-STABLE
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: john at feith.com
Created attachment 145951
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=145951&action=edit
patch for problem.
Consider an IPSEC policy such as:
spdadd 0.0.0.0/0 XXX.XXX.XXX.XXX/32[1701] udp -P out ipsec
esp/transport//require;
spdadd XXX.XXX.XXX.XXX/32[1701] 0.0.0.0/0 udp -P in ipsec
esp/transport//require;
When triggered it sends a PF_KEY ACQUIRE message that causes ISAKMP
negotiations to occur with the remote. Unfortunately the key_acquire
routine in sys/netipsec/key.c doesn't contain any code to propagate
the port / protocol information as part of the ACQUIRE message ... as
a result racoon sees an ACQUIRE message for all traffic to the remote
system and supplies that as the proposal which fails since the remote
system is only willing to protect L2TP with IPSEC ... not all traffic.
Note that RFC 2367 3.1.6 SADB_ACQUIRE says:
The address(SD) extensions MUST have the port fields
filled in with the port numbers of the session requiring
keys if appropriate.
With the supplied patch I'm able to successfully establish a L2TP protected
by IPSEC connection from FreeBSD 10-stable to a Cisco 3845 router.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list