Date: Thu, 9 Nov 2000 23:48:19 +1100 From: "Chris Cason" <casonc@netplex.aussie.org> To: <freebsd-security@FreeBSD.ORG> Subject: [solved] Re: IPSEC tunnels fail with -stable kernel? Message-ID: <001f01c04a4b$57ff84e0$023a1dac@dsat.net.au> References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> <003c01c049f1$b24bec40$023a1dac@dsat.net.au> <20001108181234.A1768@citusc17.usc.edu> <001501c049f6$c578baa0$023a1dac@dsat.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>I'm in a bit of a spot. I upgraded several FreeBSD 4.1 boxes via >cvsup (tracking stable) and rebuilt, and now my previously-working >IPSEC VPN's have stopped. The new kernel is at 4.2-BETA on the boxen >in question, the old varied but one was as recent as October 14. I have found & solved this problem (at least from my point of view). Version 1.7 of netinet6/ipsec.c (v1.3.2.3 of RELENG_4) which was put into CVS a few days ago had the following added to the function ipsec4_tunnel_validate () (at line 3151) if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) return 0; Since my SAD entries were configured to mode ANY (the default, which is exactly what I want since I encrypt both the tunneled traffic for the VPN and the normal transport-level traffic between the gateways), the received tunneled traffic was all being dropped. While I could work around this by not using mode ANY I chose to patch instead - removing the above code from ipsec.c and rebuilding the kernel solved the problem. The question I have (and it's probably best asked in -bugs) is if this is a bug or not. The change shown above was the only change (along with ipsec6_tunnel_validate) between v1.6 and 1.7 of ipsec.c, so it must have some logic behind it. -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001f01c04a4b$57ff84e0$023a1dac>