From owner-freebsd-net@FreeBSD.ORG Tue Jun 23 07:54:13 2009 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 369B01065675 for ; Tue, 23 Jun 2009 07:54:13 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id E76FF8FC25 for ; Tue, 23 Jun 2009 07:54:12 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 164322798B8; Tue, 23 Jun 2009 09:54:11 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 2FB4F1704B; Tue, 23 Jun 2009 10:18:46 +0200 (CEST) Date: Tue, 23 Jun 2009 10:18:46 +0200 From: VANHULLEBUS Yvan To: Chris Buechler Message-ID: <20090623081845.GA68752@zeninc.net> References: <20090619130040.GA53996@zeninc.net> <4A3D7885.9010809@pfsense.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A3D7885.9010809@pfsense.org> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@FreeBSD.org Subject: Re: IPsec crash, patch for review X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 07:54:13 -0000 On Sat, Jun 20, 2009 at 08:02:13PM -0400, Chris Buechler wrote: > VANHULLEBUS Yvan wrote: > Hi, Hi. [...] > We tried this patch on 7.2 (with patch-natt-7.2-2009-05-12.diff from > your ~) due to a seemingly similar problem, but IPsec stops working with > the patch applied. Using test setup: > > Host A -- fwA -- fwB -- Host B > > where fwA has the patch and fwB is the same 7.2 minus this patch, and > there is an IPsec connection between fwA and fwB. It brings up the > connection no problem, and if I leave a constant ping going, every time > I restart racoon on fwA I get exactly one response through. Bjoern reported me that the actual patch will break things on IPv6 (another patch will be posted soon which should solve this problem), are you in a full IPv4 world, ordo you have some IPv6 + IPsec configuration ? > From tcpdump on enc0 on both ends and the actual NICs, I see that > traffic from Host B to Host A gets all the way through the tunnel to > Host A, it responds, the response is seen on fwA's LAN port, but it > doesn't hit enc0. Traffic from Host A to Host B is seen on the LAN port > of fwA, but not on enc0 and not on enc0 of the remote side. > > Replace the kernel on fwA with one minus the patch and it works fine > (except it will spontaneously reboot under high load). > > That's with patch-xform_freespfix-3. Should that work with 7.2 in > combination with the NAT-T patch? It applies cleanly. Pathc has been done against TRUNK, but it is probably exactly the same for 7.2. And yes, we're using it in combination with NAT-T patch. Can you test again with an INVARIANT kernel, which (I hope) will raise any locking issue ? Thanks for the report, Yvan.