From owner-freebsd-bugs@FreeBSD.ORG Tue Jan 13 15:57:38 2004 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66FF716A4CE for ; Tue, 13 Jan 2004 15:57:38 -0800 (PST) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [62.67.200.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2E0643D54 for ; Tue, 13 Jan 2004 15:57:34 -0800 (PST) (envelope-from dierk@blaxxtarz.de) Received: (qmail 31189 invoked from network); 13 Jan 2004 23:57:33 -0000 Received: from unknown (HELO xplode.evangelion.free) (799978@[82.82.248.73]) (envelope-sender )AES256-SHA encrypted SMTP for ; 13 Jan 2004 23:57:33 -0000 Received: from blaxxtarz.evangelion.free ([192.168.123.1]) by xplode.evangelion.free with esmtp (Exim 4.22 #1 (FreeBSD 4.x)) id 1AgYPZ-000DrZ-3W; Wed, 14 Jan 2004 00:57:29 +0100 Received: from blaxxtarz.evangelion.free (localhost [127.0.0.1]) i0DNvXfJ066289; Wed, 14 Jan 2004 00:57:33 +0100 (CET) (envelope-from dierk@blaxxtarz.evangelion.free) Received: (from dierk@localhost)i0DNvVTV066288; Wed, 14 Jan 2004 00:57:31 +0100 (CET) (envelope-from dierk) Date: Wed, 14 Jan 2004 00:57:31 +0100 From: Dierk Sacher To: "Bjoern A. Zeeb" Message-ID: <20040113235731.GC63076@blaxxtarz.evangelion.free> References: <200401131911.i0DJB4hL066312@www.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-bugs@FreeBSD.org cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 23:57:38 -0000 Zitiere Bjoern A. Zeeb vom Tue, Jan 13, 2004 at 07:42:46PM +0000: > On Tue, 13 Jan 2004, Dierk Sacher wrote: > > > >Fix: > > No known fix, but the isakmp traffic should not have been blocked. > > A none policy for udp/500 does not work around the bug, it just crashes too > > Can you please try the patches mentioned in > http://lists.freebsd.org/pipermail/freebsd-current/2004-January/018084.html Thank you for the pointer. I applied all the patches and from a lazy testing I'm able to confirm that the related crashes und panics are gone. I'll continue to stress the whole setup over the next days and inform you, if there are any upcoming stability issues or the like. The handling of the IKE pakets is still broken. Beyond a now accepteable workaround, the "manual" handling of the IKE Traffic will lead us into a chicken-and-egg problem and should better be implemented the way its supposed to be. Said patches should be listed in the Fix Section of the PR. (My job? No experience with PRs so far). Gruss Dierk Sacher -- |----+----|----+----|----+----|----+----|----+----|----+----|----+----|--< GPG Fingerprint: D14C 12BB 37A6 6745 7F4F F420 9E59 D79E A492 2A96 GPG KeyID : A4922A96 +------------------------------------------------------------------------+