Date: Wed, 2 Feb 2005 10:09:36 +0100 (MET) From: Helge Oldach <helge.oldach@atosorigin.com> To: chris@wayforth.co.uk (Chris Cowen) Cc: freebsd-net@freebsd.org Subject: Re: racoon behaviour when SA expires Message-ID: <200502020909.KAA17067@galaxy.hbg.de.ao-srv.com> In-Reply-To: <41FF8FEA.9050102@wayforth.co.uk> from Chris Cowen at "Feb 1, 2005 3:19:22 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Cowen:
>A bit more investigation reveals that the SA is re-established but the
>SPD entries at the remote get dropped. This would explain the half duplex
>communication I am seeing with tcpdump (ping repsonses get back as far
>as the remote racoon machine and the lack of SPD means the machine can't
>route the packet back through the tunnel).
>
>I have tried applying the suggested fix in fbsd4/530, which seems to be
>a similar problem, but this doesn't make any difference, unfortunately.
The fix in that PR is incomplete. This one works for me:
--- isakmp_quick.c.orig Tue Oct 21 09:18:03 2003
+++ isakmp_quick.c Mon Apr 12 19:55:27 2004
@@ -2012,7 +2012,7 @@
/* get inbound policy */
sp_in = getsp_r(&spidx);
- if (sp_in == NULL) {
+ /* if (sp_in == NULL) */ {
if (iph2->ph1->rmconf->gen_policy) {
plog(LLV_INFO, LOCATION, NULL,
"no policy found, "
@@ -2027,9 +2027,11 @@
memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
return -2; /* special value */
}
+ else if (sp_in == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no policy found: %s\n", spidx2str(&spidx));
return ISAKMP_INTERNAL_ERROR;
+ }
}
/* get outbound policy */
Helge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502020909.KAA17067>