From owner-freebsd-stable@FreeBSD.ORG Mon Jun 25 09:34:22 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23CBF1065677 for ; Mon, 25 Jun 2012 09:34:22 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id CF93C8FC0C for ; Mon, 25 Jun 2012 09:34:21 +0000 (UTC) Received: from ken (ken.zen.inc [192.168.1.4]) by smtp.zeninc.net (smtpd) with ESMTP id EA19E2798BC for ; Mon, 25 Jun 2012 11:27:51 +0200 (CEST) Received: by ken (Postfix, from userid 1000) id B98E240C6; Mon, 25 Jun 2012 11:27:51 +0200 (CEST) Date: Mon, 25 Jun 2012 11:27:51 +0200 From: VANHULLEBUS Yvan To: freebsd-stable@freebsd.org Message-ID: <20120625092751.GA4514@zeninc.net> References: <1340598865.1968.11.camel@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1340598865.1968.11.camel@localhost> Subject: Re: ipsec kernel panic X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 09:34:22 -0000 User-Agent: All mail clients suck. This one just sucks less. On Mon, Jun 25, 2012 at 07:34:25AM +0300, mbsd wrote: > Hi stable users. Hi. > Like this good guy: > http://www.freebsd.org/cgi/query-pr.cgi?pr=159629&cat= > I'm bad guy also have kernel panic. >1;2802;0c Maybe it's doesn't matter good or bad gay you are. > > It happened first time around Freebsd 9 ~ beta 2 or three. I don't > remember exactly. > > All what I have is > > ?? ~ ??? cat /etc/ipsec.conf > add 192.168.0.2 192.168.0.1 esp 10022 -E blowfish-cbc "dododo"; > add 192.168.0.1 192.168.0.2 esp 10020 -E blowfish-cbc dododo; > > add 192.168.0.2 192.168.0.1 ah 10007 -A hmac-md5 "dododo"; > add 192.168.0.1 192.168.0.2 ah 10006 -A hmac-md5 "dododo"; > > # for internet > spdadd 0.0.0.0/0 192.168.0.2 any -P in ipsec > esp/tunnel/192.168.0.1-192.168.0.2/require ah/transport//require; > spdadd 192.168.0.2 0.0.0.0/0 any -P out ipsec > esp/tunnel/192.168.0.2-192.168.0.1/require ah/transport//require; > > After service ipsec start I always have kernel panic on stable. This will *not* solve the crash, but do you really need such IPsec configuration with both ESP/tunnel and AH/transport ? Most people who use such configuration just wants in fact ESP/Tunnel with payload authentication, which will be done by that: add 192.168.0.2 192.168.0.1 esp 10022 -E blowfish-cbc "dododo" -A hmac-md5 "dododo"; add 192.168.0.1 192.168.0.2 esp 10020 -E blowfish-cbc dododo -A hmac-md5 "dododo"; (if you do really use static SAs, please also consider moving to an IKE daemon...) spdadd 0.0.0.0/0 192.168.0.2 any -P in ipsec esp/tunnel/192.168.0.1-192.168.0.2/require; spdadd 192.168.0.2 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168.0.2-192.168.0.1/require; If you do not really need AH, then you can move to this configuration, and confirm us that you don't have the crash anymore. Of course, as I already said, the issue will still be in the code.... Yvan.