From owner-freebsd-security Thu Nov 9 4:48:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from aussie.org (hallam.lnk.telstra.net [139.130.54.166]) by hub.freebsd.org (Postfix) with ESMTP id 4D2BE37B479 for ; Thu, 9 Nov 2000 04:48:26 -0800 (PST) Received: from frankenputer (frankenputer [172.29.58.2]) by aussie.org (8.11.1/8.11.1) with SMTP id eA9CmOh00462 for ; Thu, 9 Nov 2000 23:48:24 +1100 (EST) (envelope-from casonc@netplex.aussie.org) Message-ID: <001f01c04a4b$57ff84e0$023a1dac@dsat.net.au> From: "Chris Cason" To: References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> <003c01c049f1$b24bec40$023a1dac@dsat.net.au> <20001108181234.A1768@citusc17.usc.edu> <001501c049f6$c578baa0$023a1dac@dsat.net.au> Subject: [solved] Re: IPSEC tunnels fail with -stable kernel? Date: Thu, 9 Nov 2000 23:48:19 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I'm in a bit of a spot. I upgraded several FreeBSD 4.1 boxes via >cvsup (tracking stable) and rebuilt, and now my previously-working >IPSEC VPN's have stopped. The new kernel is at 4.2-BETA on the boxen >in question, the old varied but one was as recent as October 14. I have found & solved this problem (at least from my point of view). Version 1.7 of netinet6/ipsec.c (v1.3.2.3 of RELENG_4) which was put into CVS a few days ago had the following added to the function ipsec4_tunnel_validate () (at line 3151) if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) return 0; Since my SAD entries were configured to mode ANY (the default, which is exactly what I want since I encrypt both the tunneled traffic for the VPN and the normal transport-level traffic between the gateways), the received tunneled traffic was all being dropped. While I could work around this by not using mode ANY I chose to patch instead - removing the above code from ipsec.c and rebuilding the kernel solved the problem. The question I have (and it's probably best asked in -bugs) is if this is a bug or not. The change shown above was the only change (along with ipsec6_tunnel_validate) between v1.6 and 1.7 of ipsec.c, so it must have some logic behind it. -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message