Date: Sat, 20 Jun 2009 20:02:13 -0400 From: Chris Buechler <cmb@pfsense.org> To: freebsd-net@FreeBSD.org Subject: Re: IPsec crash, patch for review Message-ID: <4A3D7885.9010809@pfsense.org> In-Reply-To: <20090619130040.GA53996@zeninc.net> References: <20090619130040.GA53996@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, VANHULLEBUS Yvan wrote: > Hi all. > > We (NETASQ) had some IPsec related kernel crashes, and hunted them, > here are some informations and a possible patch: > > > First, problem only occurs when asynchronous crypto is done > (hardware encryption such as hifn cards, or software patch to do > encryption on a separate kthread when having multiple CPUs). > We tried this patch on 7.2 (with patch-natt-7.2-2009-05-12.diff from your ~) due to a seemingly similar problem, but IPsec stops working with the patch applied. Using test setup: Host A -- fwA -- fwB -- Host B where fwA has the patch and fwB is the same 7.2 minus this patch, and there is an IPsec connection between fwA and fwB. It brings up the connection no problem, and if I leave a constant ping going, every time I restart racoon on fwA I get exactly one response through. From tcpdump on enc0 on both ends and the actual NICs, I see that traffic from Host B to Host A gets all the way through the tunnel to Host A, it responds, the response is seen on fwA's LAN port, but it doesn't hit enc0. Traffic from Host A to Host B is seen on the LAN port of fwA, but not on enc0 and not on enc0 of the remote side. Replace the kernel on fwA with one minus the patch and it works fine (except it will spontaneously reboot under high load). That's with patch-xform_freespfix-3. Should that work with 7.2 in combination with the NAT-T patch? It applies cleanly. thanks, Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A3D7885.9010809>