From owner-freebsd-bugs@FreeBSD.ORG  Mon Jul 28 07:33:23 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C8A437B401
	for <freebsd-bugs@freebsd.org>; Mon, 28 Jul 2003 07:33:23 -0700 (PDT)
Received: from hotmail.com (law12-oe45.law12.hotmail.com [64.4.18.17])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AF81143F75
	for <freebsd-bugs@freebsd.org>; Mon, 28 Jul 2003 07:33:22 -0700 (PDT)
	(envelope-from company2210@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Mon, 28 Jul 2003 07:33:22 -0700
Received: from 81.17.78.42 by law12-oe45.law12.hotmail.com with DAV;
	Mon, 28 Jul 2003 14:33:22 +0000
X-Originating-IP: [81.17.78.42]
X-Originating-Email: [company2210@hotmail.com]
From: "Company 2210" <company2210@hotmail.com>
To: <freebsd-bugs@freebsd.org>
Date: Mon, 28 Jul 2003 15:33:36 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
Message-ID: <Law12-OE45WwAeRaNgE0000a3ee@hotmail.com>
X-OriginalArrivalTime: 28 Jul 2003 14:33:22.0536 (UTC)
	FILETIME=[326FAE80:01C35515]
Subject: ARP Problem on VPN Gateway
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2003 14:33:23 -0000

Right, I don't know if this is the right place to post, so apologies in
advance if I've got it wrong, but as I've received no response on other
mailing lists, and by following a particuar set of actions causes the kernel
to panic with a page fault, I presumed this might be the place:

The Setup: (Both Gateways - ROUTER A & ROUTER B use FreeBSD 5.0) - The IKE
Daemon is Racoon. IPSEC/IPSEC_ESP/IPSEC_DEBUG functionality is compiled into
the kernel.


Clients (12.20.78.0/25) <----->(eth0) ROUTER A (eth1)<=======> (eth1) ROUTER
B (eth0) <----> (12.20.65.69) Upstream ISP & Internet

Router A Configuration:

eth0: 12.20.78.1 Subnet 255.255.255.128
eth1: 10.0.0.1 Subnet 255.255.255.0

Router B Configuration:

eth0: 12.20.65.70 Subnet 255.255.255.252
eth1: 10.0.0.2 Subnet 255.255.255.0


The private IP's denote an IPSEC VPN connection (Wireless) between ROUTER A
& B, all the client PC's are on public IP's. Now, the VPN works perfectly,
encrypting the packets over the wireless link, however ROUTER A's eth0
interface does not appear in the arp -a lookup:

? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 permanent [ethernet]
? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 [ethernet]
? (12.20.78.0) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]
? (12.20.78.2) at 00:0c:cd:53:d9:f3 on eth0 [ethernet]
? (12.20.78.42) at 00:9a:17:90:d3:b4 on eth0 [ethernet]
? (12.20.78.52) at 00:2b:18:2e:22:21 on eth0 [ethernet]
? (12.20.78.127) at ff:ff:ff:ff:ff:ff on eth0 permanent [ethernet]

If I try and force the entry, I receive the following error:

routera# arp -s 12.20.78.1 00:0c:5d:e6:16:75
set: can only proxy for 12.20.78.1

The big problem this is causing is that clients cannot ping the gateway, and
it responds to no requests (i.e I can't ssh into it), but it still forwards
packets perfectly. Basically it's like 12.20.78.1 was invisible. The other
strange thing is, that if I ssh into ROUTER B and ping 12.20.78.1 I receive
replies:

routerb# ping 12.20.78.1
PING 12.20.78.1 (12.20.78.1): 56 data bytes
64 bytes from 12.20.78.1: icmp_seq=0 ttl=64 time=3.577 ms
64 bytes from 12.20.78.1: icmp_seq=1 ttl=64 time=3.724 ms
64 bytes from 12.20.78.1: icmp_seq=2 ttl=64 time=3.817 ms
^C
--- 12.20.78.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.577/3.706/3.817/0.099 ms


The output of ROUTER B's arp table is displayed below:

? (10.0.0.1) at 00:05:5d:a6:15:78 on eth1 [ethernet]
? (10.0.0.2) at 00:c0:dd:ea:ac:5c on eth1 permanent [ethernet]
? (12.20.65.69) at 00:d0:03:ba:bb:fc on eth0 [ethernet]


The output from setkey -DP (For encrypting the packets across the 10.0.0.x
link)
on each router:

ROUTER A:

0.0.0.0/0[any] 12.20.78.0/25[any] any
        in ipsec
        esp/tunnel/10.0.0.2-10.0.0.1/require
        spid=2 seq=1 pid=778
        refcnt=1
12.20.78.0/25[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/10.0.0.1-10.0.0.2/require
        spid=1 seq=0 pid=778
        refcnt=1

ROUTER B:

12.20.78.0/25[any] 0.0.0.0/0[any] any
        in ipsec
        esp/tunnel/10.0.0.1-10.0.0.2/require
        spid=8 seq=1 pid=24377
        refcnt=1
0.0.0.0/0[any] 12.20.78.0/25[any] any
        out ipsec
        esp/tunnel/10.0.0.2-10.0.0.1/require
        spid=7 seq=0 pid=24377
        refcnt=1


Now, the next logical step was, in my mind, to reboot ROUTER A, comment out
the ipsec.conf so no SPD policies are loaded, and force the arp entry before
configuring the gif0 VPN tunnel. I took these steps (gif0 has only it's
internal IP's configured - 10.0.0.1->10.0.0.2 - external IP's are not
configured):

Steps on ROUTER A:

arp -S 12.20.78.1 00:05:5d:a6:15:78 pub permanent
ifconfig gif0 12.20.78.1 12.20.65.70 netmask 255.255.255.252

Kernel Panic.

Any ideas?

Many Thanks


Colin