[PATCH] IPSec fixes

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Thu Jan 15 22:40:12 PST 2004

On Fri, 16 Jan 2004, Jun-ichiro itojun Hagino wrote:


> 	the problem i have with the patch is, i have never experienced the
> 	symptom with NetBSD.  no panic at all, no funny "SPD entry go away
> 	when it has to stay" issue nor no "dangling pointer" issue.
> 	could you show me your script which panics your FreeBSD box?  i will
> 	try that on NetBSD-current box here.

don't have a shell script but do it on command line by hand. This gives
better logging to serial console when debugging what events occured
when. The basic idea is:

1. have racoon startup at boot time
2. run setkey -f an_ipsec.conf
		spdadd ...
		spdadd ...
		spdadd ...
		spdadd ...
3. wait some short time (0-2 minutes) and perhaps do some traffic
   I usually open a a ssh connection (no ipsec in that path) to my
   directly connected syslog server, reattach a screen with some
   tail -f on logfiles
4. repeat step 2
5. do s.th. like check netstat -s -p ipsec or just wait some seconds
6. kill <pid of racoon>
7. count to ten and wait for the panic to come

step 1-3 are done automatically when booting, when I come back to my
workstation I open the ssh connection through the ipsec router.

killing racoon has turned out to be a good thing to crash the box.
Soemtimes I will see some
	"ipsec4_getpolicybysock: Invalid policy for PCB N"
with N any number , be it 0 oder p.ex. 4657 oder 0xdeadcode and I will know
that a panic is ahead anyway.

> 	there could be some difference in NetBSD kernel code and FreeBSD due
> 	to KAME->*BSD merge timing, and FreeBSD could have pull in some source
> 	of instability (just my guess).

So I should diff between NetBSD and FreeBSD and not KAME to FreeBSD ?


Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
56 69 73 69 74				http://www.zabbadoz.net/

More information about the freebsd-current mailing list