From owner-freebsd-net@FreeBSD.ORG Wed Feb 2 09:09:40 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8184B16A4CE for ; Wed, 2 Feb 2005 09:09:40 +0000 (GMT) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB83F43D45 for ; Wed, 2 Feb 2005 09:09:39 +0000 (GMT) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])j1299blH037501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Feb 2005 10:09:38 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id j1299b4e034247; Wed, 2 Feb 2005 10:09:37 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id KAA17067; Wed, 2 Feb 2005 10:09:36 +0100 (MET) Message-Id: <200502020909.KAA17067@galaxy.hbg.de.ao-srv.com> In-Reply-To: <41FF8FEA.9050102@wayforth.co.uk> from Chris Cowen at "Feb 1, 2005 3:19:22 pm" To: chris@wayforth.co.uk (Chris Cowen) Date: Wed, 2 Feb 2005 10:09:36 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782077 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: racoon behaviour when SA expires X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Feb 2005 09:09:40 -0000 Chris Cowen: >A bit more investigation reveals that the SA is re-established but the >SPD entries at the remote get dropped. This would explain the half duplex >communication I am seeing with tcpdump (ping repsonses get back as far >as the remote racoon machine and the lack of SPD means the machine can't >route the packet back through the tunnel). > >I have tried applying the suggested fix in fbsd4/530, which seems to be >a similar problem, but this doesn't make any difference, unfortunately. The fix in that PR is incomplete. This one works for me: --- isakmp_quick.c.orig Tue Oct 21 09:18:03 2003 +++ isakmp_quick.c Mon Apr 12 19:55:27 2004 @@ -2012,7 +2012,7 @@ /* get inbound policy */ sp_in = getsp_r(&spidx); - if (sp_in == NULL) { + /* if (sp_in == NULL) */ { if (iph2->ph1->rmconf->gen_policy) { plog(LLV_INFO, LOCATION, NULL, "no policy found, " @@ -2027,9 +2027,11 @@ memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); return -2; /* special value */ } + else if (sp_in == NULL) { plog(LLV_ERROR, LOCATION, NULL, "no policy found: %s\n", spidx2str(&spidx)); return ISAKMP_INTERNAL_ERROR; + } } /* get outbound policy */ Helge