Date: Thu, 9 Nov 2000 23:48:19 +1100 From: "Chris Cason" <casonc@netplex.aussie.org> To: <freebsd-security@FreeBSD.ORG> Subject: [solved] Re: IPSEC tunnels fail with -stable kernel? Message-ID: <001f01c04a4b$57ff84e0$023a1dac@dsat.net.au> References: <5.0.0.25.0.20001108115420.076aeeb0@marble.sentex.ca> <003c01c049f1$b24bec40$023a1dac@dsat.net.au> <20001108181234.A1768@citusc17.usc.edu> <001501c049f6$c578baa0$023a1dac@dsat.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>I'm in a bit of a spot. I upgraded several FreeBSD 4.1 boxes via
>cvsup (tracking stable) and rebuilt, and now my previously-working
>IPSEC VPN's have stopped. The new kernel is at 4.2-BETA on the boxen
>in question, the old varied but one was as recent as October 14.
I have found & solved this problem (at least from my point of view).
Version 1.7 of netinet6/ipsec.c (v1.3.2.3 of RELENG_4) which was put
into CVS a few days ago had the following added to the function
ipsec4_tunnel_validate () (at line 3151)
if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL)
return 0;
Since my SAD entries were configured to mode ANY (the default, which
is exactly what I want since I encrypt both the tunneled traffic for
the VPN and the normal transport-level traffic between the gateways),
the received tunneled traffic was all being dropped.
While I could work around this by not using mode ANY I chose to patch
instead - removing the above code from ipsec.c and rebuilding the kernel
solved the problem. The question I have (and it's probably best asked in
-bugs) is if this is a bug or not. The change shown above was the only
change (along with ipsec6_tunnel_validate) between v1.6 and 1.7 of ipsec.c,
so it must have some logic behind it.
-- Chris
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001f01c04a4b$57ff84e0$023a1dac>