Date: Wed, 11 Aug 2004 18:04:53 +0200 (CEST) From: Angelo Turetta <aturetta@commit.it> To: FreeBSD-gnats-submit@FreeBSD.org Cc: aturetta@commit.it Subject: ports/70309: racoon disrupt manually-keyed IPSEC tunnels on exit Message-ID: <200408111604.i7BG4rvY000890@fw.ceditsrl.it> Resent-Message-ID: <200408111610.i7BGAQTm025866@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 70309
>Category: ports
>Synopsis: racoon disrupt manually-keyed IPSEC tunnels on exit
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 11 16:10:25 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Angelo Turetta
>Release: FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD fw.ceditsrl.it 4.10-STABLE FreeBSD 4.10-STABLE #8: Wed Aug 11 14:50:12 CEST 2004 aturetta@fw.ceditsrl.it:/usr/obj/usr/src/sys/CEDIT2 i386
>Description:
Upon exit, the racoon ike daemon erases all the entries in SAD (Security
Association Database) and not only those which where negotiated by itself
>How-To-Repeat:
Establish a manually keyed ESP tunnel: that usually involve having some lines
like the following in your /etc/ipsec.conf:
add ip.ho.st.A ip.ho.st.B esp spi_num -m any -E 3des-cbc enc_key -A hmac-md5 auth_key;
add ip.ho.st.B ip.ho.st.A esp spi_num -m any -E 3des-cbc enc_key -A hmac-md5 auth_key;
spdadd lan_A/24 lan_B/24 any -P in ipsec esp/tunnel/ip.ho.st.A-ip.ho.st.B/require;
spdadd lan_B/24 lan_B/24 any -P out ipsec esp/tunnel/ip.ho.st.B-ip.ho.st.A/require;
Just after a reboot this setup will bring the tunnel up without the need for
a keying daemon. If on the same host you need to set-up some connection that
needs IKE negotiation, and you install security/racoon for the purpose, when you
stop the daemon all the SAD entries (those beginning with add in /etc/ipsec)
are erased.
Please note that stoping racoon is not that uncommon, as it's the only way to
make it reload its configuration if you need to change it!
racoon should only delete the SAD entries added by itself to the DB after
negotiation with its peers, and leave alone the ones which were not touched
by its activity.
>Fix:
The only workaround I found is to re-initialize the SAD after stopping racoon,
by modifying the racoon.sh script installed by the port as follows.
Please note that
A) the real fix should be for racoon to ignore SADs it didn't write
B) in 5.x reloading the IPSEC policies should be done only by /etc/rc.d/ipsec
--- racoon.sh.patch begins here ---
--- files/racoon.sh.orig Wed Aug 11 16:53:36 2004
+++ files/racoon.sh Wed Aug 11 17:28:45 2004
@@ -4,7 +4,7 @@
# $FreeBSD: ports/security/racoon/files/racoon.sh,v 1.2 2004/01/06 15:31:09 sumikawa Exp $
# PROVIDE: racoon
-# REQUIRE: DAEMON
+# REQUIRE: DAEMON IPSEC
# BEFORE: LOGIN
# KEYWORD: FreeBSD shutdown
#
@@ -36,6 +36,17 @@
racoon_poststop() {
/bin/rm -f ${pidfile}
+ #FIXME
+ # in 5.x this should be better handled by something like
+ # run_rc_script /etc/rc.d/ipsec restart
+ if [ -f ${ipsec_file} ]; then
+ echo " ipsec: reloading policy from ${ipsec_file}"
+ setkey -F
+ setkey -FP
+ setkey -f ${ipsec_file}
+ else
+ echo ' ipsec: file not found'
+ fi
}
load_rc_config $name
--- racoon.sh.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408111604.i7BG4rvY000890>