From owner-freebsd-net@freebsd.org  Thu Feb 22 07:10:56 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1FA71F0A161
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 22 Feb 2018 07:10:56 +0000 (UTC)
 (envelope-from kmisak@gmail.com)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com
 [IPv6:2607:f8b0:400d:c0d::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A46AB70EB4
 for <freebsd-net@freebsd.org>; Thu, 22 Feb 2018 07:10:55 +0000 (UTC)
 (envelope-from kmisak@gmail.com)
Received: by mail-qt0-x234.google.com with SMTP id d14so5164187qtg.1
 for <freebsd-net@freebsd.org>; Wed, 21 Feb 2018 23:10:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=N4jUWOK9u1QlDE4EXdlGEr+1PRU/Y1/qp8A02qCDd40=;
 b=Y4+3M3MVOdVVPUjCRF7nuyz2V67YEuM0CyWO0Eab1kqx9tUEg5NDjfjQXIws++rp/n
 fN7wFIRdNsfxGu0GCL2k9gQR98rkAb6tEjYhBdRB7THAOsrzeTKJL/vQXQD+Oi0zkYef
 z6KqLmuM0IeUm8jpk1mQro5ylfnjLjTWb3xDjVwTAJnBsUCIOOoR00Jap1bd1oL0RcD7
 8DSQjk7IvCcYUpKnFxdS1ZlFdOzXKgbV88bQ2/5wNIXd9qkL5yS8jaFU3AAkDPGJbfnP
 Eo19q5xQQcqwWUDLHfW1P5li6Ff0WL3gn4wZWbTkgQvG5SW7vY42ehx0Cu5TcRB3BSiQ
 GqsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=N4jUWOK9u1QlDE4EXdlGEr+1PRU/Y1/qp8A02qCDd40=;
 b=Za5MaZmfj4e2jrn2EsngPgcSdVzGsxkzyzefx/fNPa7WfTyePVqA9WEtVrnPU5dkUK
 Ysdrey6876Yd7kptGkGQD8t41vFm7aQ5wxbmWEFD4iNGfkYvgu0hiulwv7J048bBOFmI
 7CnkY47Db1RMAU6kfKqwieA8i0ZkZin+4VVTgLx45SMH4UGdVuJrRvCO2EswVtnCb56t
 NbOwgxubrwQFfntXKMQLjEx7sgwe78z+ENvY09xcj0hWJF7O4pixxe3kSuGgWBuwOlD3
 ZSyH1HuvK7pYanQXCDWRmvDsDBmRjZ3s46HPDvex86RFwq7peaFsu+l8THQa7TdlcSfr
 v2aA==
X-Gm-Message-State: APf1xPCrdLXRM1taGA67SQTGx63ZSeVRA5zoAWBoyU1RrfM06DJQAN5v
 sSEjutUexGTYRIkhzmYIJKIm2O07HzqQ5OxSvnKinLpu
X-Google-Smtp-Source: AH8x225zETU1KYZRGjoL/Ry2srZd4oCm8Y6rb/gPU/3UXXxqKg/o9Wgc2m//ri4kLx2oE/2iNtT83dGLUctCtY5KTYg=
X-Received: by 10.237.45.167 with SMTP id i36mr9535238qtd.126.1519283455171;
 Wed, 21 Feb 2018 23:10:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.81.201 with HTTP; Wed, 21 Feb 2018 23:10:54 -0800 (PST)
In-Reply-To: <5e13deb9-0d83-5f43-195c-f6797ed36a7b@yandex.ru>
References: <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7+dE2AZQ9afQ+c2g@mail.gmail.com>
 <5A8A97EC.4040103@grosbein.net>
 <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com>
 <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru>
 <CABfKv0kvTLJjv7F6y7DTXxE-oXspOHTJti+j0Ftqv5xVpqQQRQ@mail.gmail.com>
 <5A8BB836.2010501@grosbein.net>
 <5e13deb9-0d83-5f43-195c-f6797ed36a7b@yandex.ru>
From: Misak Khachatryan <kmisak@gmail.com>
Date: Thu, 22 Feb 2018 11:10:54 +0400
Message-ID: <CABfKv0mavVUqFsecAAa6-6RjzfBQ9qoGp7sUw8EEyXEkVQ5Onw@mail.gmail.com>
Subject: Re: Racoon and setkey problems
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 07:10:56 -0000

Hello there,

just a quick feedback. I've added rules to my ipfw to block all isakmp
ports on interfaces not involved in ipsec and rebooted 3 of 4
machines. Situation returned to normal on them, but rebooting fourth
host is very painful. It seems i have some kind of massive ipsec
probes from botnet which fills all my SAD and SPD entries or PFKEY
sockets.

All i need is to flush all SAD and SDP entries, but setkey can't do
that. Is there any other way?


Best regards,
Misak Khachatryan


On Tue, Feb 20, 2018 at 4:47 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:
> On 20.02.2018 08:55, Eugene Grosbein wrote:
>>> yes, all output is from same machine. I'll recheck all configs again,
>>> or, if it's OK, I can post them here. The most confusing thing is that
>>> everything worked as a charm several years. And nothing changed in
>>> configurations until logs stars to fill up with these messages and i
>>> tried to play with some settings to troubleshoot.
>>
>> You may be suffering from some kind of massive IPSEC-scanning bots activity
>> that try to expoit IPSEC-related bugs and trigger some memory leak.
>>
>> You should really try 11.1.
>
> 11.1-RELEASE had several bugs in new IPsec code, that were fixed in
> stable/11 branch. So, if you want to try, I recommend to use stable/11.
> Also there is very little chance that some problem will be fixed in 10.x
> branch.
>
> --
> WBR, Andrey V. Elsukov
>