From owner-freebsd-stable@FreeBSD.ORG Fri Jan 2 02:12:13 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08B9C903 for ; Fri, 2 Jan 2015 02:12:13 +0000 (UTC) Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AFDD517A8 for ; Fri, 2 Jan 2015 02:12:12 +0000 (UTC) Received: by mail-ig0-f182.google.com with SMTP id hn15so15136300igb.15 for ; Thu, 01 Jan 2015 18:12:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8TbrvEmJl4jo7c8jT4Cy6s9yyibcydBvJK65DuxM1q8=; b=VwATWkCvnugGOqkzACBb8AUTWwbHgI3EoFBJqpvzvyq3RBtGU5pQ6gt0DmKqfFbIJ7 kCyJRzFOxT4/uLGo6fTndrWPPgxJQJpeREiVtvtvz4XMGrtigUB1MW4DeqKUgE1gYTcm EjYV/b+R8NH1pz+IkxUIVBHcNPbki/xCiMfnei9/3ByjB8o6vdEqIxkeLjKhOaLl0Woj njr0TIIngd6Z4mN8YR2LvaPLTIvlSSl0ZAxV77q25lHk0M2G4yMNyUdyoMjJi2rU+95H nclTWe9NqWzWEaLjX7M+IgbCj/Q4hCL5TKWinnZx7kt26guVvkrCkB0HVQX7erHHWD5J QpXg== MIME-Version: 1.0 X-Received: by 10.50.148.101 with SMTP id tr5mr61027368igb.12.1420164731797; Thu, 01 Jan 2015 18:12:11 -0800 (PST) Received: by 10.64.126.133 with HTTP; Thu, 1 Jan 2015 18:12:11 -0800 (PST) In-Reply-To: <620F82BB-1D53-4F2A-9C67-51D5EC3C3144@lists.zabbadoz.net> References: <620F82BB-1D53-4F2A-9C67-51D5EC3C3144@lists.zabbadoz.net> Date: Thu, 1 Jan 2015 20:12:11 -0600 Message-ID: Subject: Re: IPSec and racoon issue... From: Chris Watson To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 02:12:13 -0000 Bjoern, Well now the puzzle deepens. I noticed about 5 minutes before your email came through I have NO *ipsec* or *net.key* sysctls. It's like the crypto subsystem isn't getting pulled in to my kernel compile, even though its in the config. Whaaaat? I wonder if my src tree is jacked. But how could the kernel build if it didn't have all the bits that are in my kernel config? Maybe I pulled a src update in the middle of someones commit? This is really weird. Kernel Config of the server in question: # $FreeBSD: stable/10/sys/amd64/conf/GENERIC 272313 2014-09-30 16:55:19Z bz $ cpu HAMMER ident PRIYANKA #makeoptions DEBUG=3D-g # Build kernel with gdb(1) debug symbols #makeoptions WITH_CTF=3D1 # Run ctfconvert(1) for DTrace support options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options TCP_OFFLOAD # TCP offload options SCTP # Stream Control Transmission Protocol #options FFS # Berkeley Fast Filesystem #options SOFTUPDATES # Enable FFS soft updates support #options UFS_ACL # Support for access control lists #options UFS_DIRHASH # Improve performance on big directories #options UFS_GJOURNAL # Enable gjournal-based UFS journaling #options QUOTA # Enable disk quotas for UFS options MD_ROOT # MD is a potential root device #options NFSCL # New Network Filesystem Client #options NFSD # New Network Filesystem Server #options NFSLOCKD # Network Lock Manager #options NFS_ROOT # NFS usable as /, requires NFSCL #options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. #options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options COMPAT_FREEBSD32 # Compatible with i386 binaries #options COMPAT_FREEBSD4 # Compatible with FreeBSD4 #options COMPAT_FREEBSD5 # Compatible with FreeBSD5 #options COMPAT_FREEBSD6 # Compatible with FreeBSD6 #options COMPAT_FREEBSD7 # Compatible with FreeBSD7 #options SCSI_DELAY=3D5000 # Delay (in ms) before probing SC= SI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=3D128 # Prevent printf output being interspersed. options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities options PROCDESC # Support for process descriptors options MAC # TrustedBSD MAC Framework #options KDTRACE_FRAME # Ensure frames are compiled in #options KDTRACE_HOOKS # Kernel DTrace hooks options DDB_CTF # Kernel ELF linker loads CTF data options INCLUDE_CONFIG_FILE # Include this file in kernel options CAPABILITY_MODE # Enable Capsicum sandboxing suppor= t options CAPABILITIES # "" options PROCDESC # "" # Debugging support. Always need this: options KDB # Enable kernel debugger support. options KDB_TRACE # Print a stack trace for a panic. # Make an SMP-capable kernel by default options SMP # Symmetric MultiProcessor Kernel # CPU frequency control device cpufreq # Bus support. device acpi options ACPI_DMAR device pci # Floppy drives #device fdc # ATA controllers device ahci # AHCI-compatible SATA controllers device ata # Legacy ATA/SATA controllers options ATA_STATIC_ID # Static device numbering #device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA #device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA # ATA/SCSI peripherals device scbus # SCSI bus (required for ATA/SCSI) device ch # SCSI media changers device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct ATA/SCSI access) device ses # Enclosure Services (SES and SAF-TE) device ctl # CAM Target Layer # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard #device psm # PS/2 mouse #device kbdmux # keyboard multiplexer device vga # VGA video card driver options VESA # Add support for VESA BIOS Extensions (VBE) device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc options SC_PIXEL_MODE # add support for the raster text mode # vt is the new video console driver device vt device vt_vga device vt_efifb device agp # support several AGP chipsets # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs= ! device miibus # MII bus support device re # RealTek 8139C+/8169/8169S/8110S # Pseudo devices. device loop # Network loopback device random # Entropy device device padlock_rng # VIA Padlock RNG device rdrand_rng # Intel Bull Mountain RNG device ether # Ethernet support device vlan # 802.1Q VLAN support device tun # Packet tunnel. device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device xhci # XHCI PCI->USB interface (USB 3.0) device usb # USB Bus (required) device ukbd # Keyboard device umass # Disks/Mass storage - Requires scbus and da # Sound support device sound # Generic sound driver (required) device snd_hda # Intel High Definition Audio # MMC/SD #device mmc # MMC/SD bus #device mmcsd # MMC/SD memory card #device sdhci # Generic PCI SD Host Controller # VirtIO support device virtio # Generic VirtIO bus (required) device virtio_pci # VirtIO PCI device device vtnet # VirtIO Ethernet device device virtio_blk # VirtIO Block device device virtio_scsi # VirtIO SCSI device device virtio_balloon # VirtIO Memory Balloon device # HyperV drivers device hyperv # HyperV drivers # Xen HVM Guest Optimizations # NOTE: XENHVM depends on xenpci. They must be added or removed together. options XENHVM # Xen HVM kernel infrastructure device xenpci # Xen HVM Hypervisor services drive= r # VMware support device vmx # VMware VMXNET3 Ethernet # IPSec support options IPSEC # Enable IPSec support device crypto # Use the Crypto framework device cryptodev options IPSEC_FILTERTUNNEL # Allowing packet filtering on tunneled packets device enc # Support for the encapsulating interface On Thu, Jan 1, 2015 at 5:40 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > > > On 01 Jan 2015, at 04:36 , Chris Watson wrote: > > > > So I have been running a stable ipsec tunnel between my MacBook Pro and= a > > FreeBSD 10-stable server, I just rebuilt world today and raccoon has > become > > pissy and refuses to start, and as usual with ipsec, debugging it is li= ke > > winning gold in the pain olympics. So here's the issue, my working conf= ig > > has not changed at all. I'm simply running a new FreeBSD 10-stable > r276472 > > world + kernel. I have looked all over at UPDATING, source commits to > > stable, google, etc and I can=E2=80=99t figure this error out. > > Do you know the old revision as well, to limit the search time? > > > > Anytime I try to start racoon it looks like it starts but it doesn't. T= he > > only error I can get is to run it with "racoon -F -ddd -f > > /usr/local/etc/racoon/racoon.conf", and I get the following > > > > "ERROR: libipsec failed pfkey open (Address family not supported by > > protocol family) > > racoon: failed to initialize pfkey socket" > > > > Doing a "setkey -F" produces "pfkey_open: Address family not supported = by > > protocol family=E2=80=9D > > > That smells like a raw socket issue to me. But the only changes there I > can remember is that someone changed the source address selection but > nothing that would trigger this. > > You could turn net.inet.ipsec.debug to 0xff and check that there is > nothing in dmesg -a after trying to start racoon, just to rule that out. > > Also could you paste the output of `sysctl -a | grep ipsec` and `sysctl -= a > net.key` just trying to make sure =E2=80=A6 ;-) > > > =E2=80=94 > Bjoern A. Zeeb Charles Haddon Spurgeon: > "Friendship is one of the sweetest joys of life. Many might have failed > beneath the bitterness of their trial had they not found a friend." > >