From owner-freebsd-stable@FreeBSD.ORG Mon Jun 25 22:46:00 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F4AF1065677 for ; Mon, 25 Jun 2012 22:46:00 +0000 (UTC) (envelope-from mbsd@isgroup.com.ua) Received: from mail.standard.com.ua (mail.isgroup.com.ua [46.229.54.104]) by mx1.freebsd.org (Postfix) with ESMTP id E26968FC1F for ; Mon, 25 Jun 2012 22:45:59 +0000 (UTC) Received: from [192.168.0.2] (unused-213.111.71.69.bilink.ua [213.111.71.69] (may be forged)) (authenticated bits=0) by mail.standard.com.ua (8.14.3/8.14.3) with ESMTP id q5PMchLO010215 for ; Tue, 26 Jun 2012 01:38:43 +0300 (EEST) (envelope-from mbsd@isgroup.com.ua) From: mbsd To: freebsd-stable@freebsd.org In-Reply-To: <20120625092751.GA4514@zeninc.net> References: <1340598865.1968.11.camel@localhost> <20120625092751.GA4514@zeninc.net> Content-Type: text/plain; charset="UTF-8" Date: Tue, 26 Jun 2012 01:45:52 +0300 Message-ID: <1340664352.5121.2.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.9 required=9.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.isgroup.com.ua Subject: Re: ipsec kernel panic X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2012 22:46:00 -0000 Thank you for your advice. Without ah it works perfectly. On Mon, 2012-06-25 at 11:27 +0200, VANHULLEBUS Yvan wrote: > User-Agent: All mail clients suck. This one just sucks less. > > On Mon, Jun 25, 2012 at 07:34:25AM +0300, mbsd wrote: > > Hi stable users. > > Hi. > > > > Like this good guy: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=159629&cat= > > I'm bad guy also have kernel panic. > >1;2802;0c Maybe it's doesn't matter good or bad gay you are. > > > > It happened first time around Freebsd 9 ~ beta 2 or three. I don't > > remember exactly. > > > > All what I have is > > > > ?? ~ ??? cat /etc/ipsec.conf > > add 192.168.0.2 192.168.0.1 esp 10022 -E blowfish-cbc "dododo"; > > add 192.168.0.1 192.168.0.2 esp 10020 -E blowfish-cbc dododo; > > > > add 192.168.0.2 192.168.0.1 ah 10007 -A hmac-md5 "dododo"; > > add 192.168.0.1 192.168.0.2 ah 10006 -A hmac-md5 "dododo"; > > > > # for internet > > spdadd 0.0.0.0/0 192.168.0.2 any -P in ipsec > > esp/tunnel/192.168.0.1-192.168.0.2/require ah/transport//require; > > spdadd 192.168.0.2 0.0.0.0/0 any -P out ipsec > > esp/tunnel/192.168.0.2-192.168.0.1/require ah/transport//require; > > > > After service ipsec start I always have kernel panic on stable. > > This will *not* solve the crash, but do you really need such IPsec > configuration with both ESP/tunnel and AH/transport ? > > Most people who use such configuration just wants in fact ESP/Tunnel > with payload authentication, which will be done by that: > > > add 192.168.0.2 192.168.0.1 esp 10022 -E blowfish-cbc "dododo" -A hmac-md5 "dododo"; > add 192.168.0.1 192.168.0.2 esp 10020 -E blowfish-cbc dododo -A hmac-md5 "dododo"; > (if you do really use static SAs, please also consider moving to an > IKE daemon...) > > > spdadd 0.0.0.0/0 192.168.0.2 any -P in ipsec > esp/tunnel/192.168.0.1-192.168.0.2/require; > spdadd 192.168.0.2 0.0.0.0/0 any -P out ipsec > esp/tunnel/192.168.0.2-192.168.0.1/require; > > > If you do not really need AH, then you can move to this configuration, > and confirm us that you don't have the crash anymore. > > Of course, as I already said, the issue will still be in the code.... > > > > Yvan. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"