From owner-freebsd-bugs@FreeBSD.ORG Wed Mar 5 11:00:03 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8EB51065678 for ; Wed, 5 Mar 2008 11:00:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B0F928FC2C for ; Wed, 5 Mar 2008 11:00:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m25B03gH058075 for ; Wed, 5 Mar 2008 11:00:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m25B03i2058070; Wed, 5 Mar 2008 11:00:03 GMT (envelope-from gnats) Resent-Date: Wed, 5 Mar 2008 11:00:03 GMT Resent-Message-Id: <200803051100.m25B03i2058070@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Cyrus Rahman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81B4F106567B for ; Wed, 5 Mar 2008 10:59:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2618FC2C for ; Wed, 5 Mar 2008 10:59:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m25AuaXs054967 for ; Wed, 5 Mar 2008 10:56:36 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m25Auaek054966; Wed, 5 Mar 2008 10:56:36 GMT (envelope-from nobody) Message-Id: <200803051056.m25Auaek054966@www.freebsd.org> Date: Wed, 5 Mar 2008 10:56:36 GMT From: Cyrus Rahman To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/121384: New IPSEC fails to obey policy levels X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2008 11:00:04 -0000 >Number: 121384 >Category: kern >Synopsis: New IPSEC fails to obey policy levels >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 05 11:00:03 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Cyrus Rahman >Release: 7.0-RELEASE >Organization: >Environment: FreeBSD snowfall.signetica.com 7.0-RELEASE FreeBSD 7.0-RELEASE #7: Wed Mar 5 00:48:02 MST 2008 cr@snowfall.signetica.com:/usr/src/sys/i386/compile/SIGNETICA i386 >Description: IPSEC policies include a level: default, use, require, or unique. A level of 'use' should mean that the kernel will use an SA if available, otherwise it should pass the packet as it would normally. However, with the new IPSEC this level is ignored and packets are discarded if the SA is not available. >How-To-Repeat: Between two hosts with no security associations and which are not running anything to set up such associations, check for connectivity with ping: >From hostA: root# ping hostB ...echo replies Install a policy like this on hostA: spdadd -4 hostA hostB any -P out ipsec esp/transport//use; spdadd -4 hostB hostA any -P in ipsec esp/transport//use; Things should continue to work, however: root# ping hostB ping: sendto: Invalid argument ping: sendto: Invalid argument >Fix: >Release-Note: >Audit-Trail: >Unformatted: