From owner-freebsd-net@freebsd.org Thu Feb 22 09:08:35 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05141F169CD for ; Thu, 22 Feb 2018 09:08:35 +0000 (UTC) (envelope-from kmisak@gmail.com) Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8E8B076A1B for ; Thu, 22 Feb 2018 09:08:34 +0000 (UTC) (envelope-from kmisak@gmail.com) Received: by mail-qt0-x22d.google.com with SMTP id f4so5431958qtj.6 for ; Thu, 22 Feb 2018 01:08:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=26fJxJf/tJj0q89Ayk0LJvQYE9Ry6u+IXV1CUTkvKQI=; b=HokEO7ghdbR8KwC00U1ovHlNidYo2oROvY0lne4BqRGDrpCgEALS+sXt5wQjloXnPp TG3IA38PcG9lKs6yJSLOG8zE+XNQskJNvEmm3Mdr2WSuV+v87oTY9WvaqY67Ju1Q3I2D Noel9nLgCmXdAHoKc1PSBzNOO8b+ayCscUpEo2pTJut66FTFkWXrA0hn1hRw+X/qdkXk hU5jFtFaP8QBg3o0+pHasg4Q3eajiqKqjT8Xl/REEyaKvrKVwBvWYB2KA7SxsbCjb3Lu PA2bSo3z25Qhsyj8iExf26s4EUCsvS8x551g7tdBnfQGQnsbS6KCdtt9MkXIP0RCM6G4 +/Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=26fJxJf/tJj0q89Ayk0LJvQYE9Ry6u+IXV1CUTkvKQI=; b=UnKJNJfrgLujCRqylG7HbHWubdB6iHTIv5D6XrKGvEbMjHzMEbEOiYarZjg5YQbBAL J3kgxYOD5scWYKSIIhTzwJlpoxfBjzlfrYTTrlLvq9u8HzR4Cl/ZZlJyPSSO4YNdIOTX 1/1idftSPQYQ2go+a9ES5Nn5A5P+I/f05sEcUEFAPoCc2s8RNWRIAz0zqjF1ycHkmrWT 8+SGfphDLM1H2HTyf6EZI819oCQ2/e8W5AamF1Xs4yFLxvVDBLapZcjfnW5togJvVx7w VoPPSxk6MPxf2G852f1Q9W/bTYiWNTHLdZoya8BlLlGb/hEwa6oTbdwjVprMDKU1Xwor Lkug== X-Gm-Message-State: APf1xPCh0yl7X6ghi4La9IU8gGjVBtlIOPZuvkqMaylO5rMT1/+2VehN KvHUhQ7mAWaFLf+1Bndvp0mS4b0100latRft/us= X-Google-Smtp-Source: AH8x226mbYTZBdPANWd/tQxWs2eac79ZVvKZTIxSvxs5xhEErYuipgGWJheJ2kaVC08FPgD3ZXld5KTr9gxiKNiUtic= X-Received: by 10.200.42.114 with SMTP id l47mr9989446qtl.164.1519290513730; Thu, 22 Feb 2018 01:08:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.81.201 with HTTP; Thu, 22 Feb 2018 01:08:33 -0800 (PST) In-Reply-To: <5A8E7642.2020509@grosbein.net> References: <5A8A97EC.4040103@grosbein.net> <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru> <5A8BB836.2010501@grosbein.net> <5e13deb9-0d83-5f43-195c-f6797ed36a7b@yandex.ru> <5A8E7642.2020509@grosbein.net> From: Misak Khachatryan Date: Thu, 22 Feb 2018 13:08:33 +0400 Message-ID: Subject: Re: Racoon and setkey problems To: Eugene Grosbein Cc: "Andrey V. Elsukov" , freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2018 09:08:35 -0000 That didn help. Best regards, Misak Khachatryan On Thu, Feb 22, 2018 at 11:50 AM, Eugene Grosbein wrote: > On 22.02.2018 14:10, Misak Khachatryan wrote: >> Hello there, >> >> just a quick feedback. I've added rules to my ipfw to block all isakmp >> ports on interfaces not involved in ipsec and rebooted 3 of 4 >> machines. Situation returned to normal on them, but rebooting fourth >> host is very painful. It seems i have some kind of massive ipsec >> probes from botnet which fills all my SAD and SPD entries or PFKEY >> sockets. >> >> All i need is to flush all SAD and SDP entries, but setkey can't do >> that. Is there any other way? > > Try to increase sysctl kern.ipc.maxsockbuf upto some huge value like 80MB > and re-try with setkey. >