Date: Sat, 02 Sep 2023 23:20:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273533] need to sleep before using IPsec tunnel Message-ID: <bug-273533-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273533 Bug ID: 273533 Summary: need to sleep before using IPsec tunnel Product: Base System Version: 13.2-STABLE Hardware: arm64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: andrew.cagney@gmail.com Given a just established IPsec connection using Libreswan (mainline) with FreeBSD as the negotiation initiator I'm finding that an attempt to ping the peer fails. Here's an extract from a test: west# ipsec add interop 002 "interop": added IKEv2 connection west# ipsec up interop 1v2 "interop" #1: initiating IKEv2 connection 1v2 "interop" #1: sent IKE_SA_INIT request to 192.1.2.23:500 1v2 "interop" #1: sent IKE_AUTH request {cipher=3DAES_GCM_16_256 integ=3D= n/a prf=3DHMAC_SHA2_512 group=3DMODP2048} 003 "interop" #1: initiator established IKE SA; authenticated peer using authby=3Dsecret and ID_FQDN '@east' 004 "interop" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {ESP=3D>0xESPESP <0xESPESP xfrm=3DAES_GCM_16_128-NONE DPD=3Dpassive} west# ../../guestbin/ipsec-kernel-policy.sh 192.0.2.0/24[any] 192.0.1.0/24[any] any in ipsec esp/tunnel/192.1.2.23-192.1.2.45/require spid=3D1 seq=3D1 pid=3DPID scope=3Dglobal=20 refcnt=3D1 192.0.1.0/24[any] 192.0.2.0/24[any] any out ipsec esp/tunnel/192.1.2.45-192.1.2.23/require spid=3D2 seq=3D0 pid=3DPID scope=3Dglobal=20 refcnt=3D1 west# ../../guestbin/ipsec-kernel-state.sh 192.1.2.45 192.1.2.23 esp mode=3Dany spi=3DSPISPI(0xSPISPI) reqid=3D16389(0x00004005) E: aes-gcm-16 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX seq=3D0x00000000 replay=3D16 flags=3D0x00000000 state=3Dmature=20 created: TIMESTAMP current: TIMESTAMP diff: N(s) hard: 28800(s) soft: 28800(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3D1 pid=3DPID refcnt=3D1 192.1.2.23 192.1.2.45 esp mode=3Dany spi=3DSPISPI(0xSPISPI) reqid=3D16389(0x00004005) E: aes-gcm-16 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX seq=3D0x00000000 replay=3D16 flags=3D0x00000000 state=3Dmature=20 created: TIMESTAMP current: TIMESTAMP diff: N(s) hard: 28800(s) soft: 28800(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3D0 pid=3DPID refcnt=3D1 west# ../../guestbin/wait-for.sh --match interop -- ipsec trafficstatus 006 #2: "interop", type=3DESP, add_time=3D1234567890, id=3D'@east' west# ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254 unexpected status 4 fping -c 1 --timeout 5s --src 192.0.1.254 192.0.2.254 fping error: not enough sequence numbers available! (expire_timeout=3D10000000000, host_nr=3D0, ping_count=3D0, seqmap_next_id= =3D0) (I've no clue what fping is trying to tell me). If a `sleep 5` is added before the `fping`, the puzzling behaviour goes awa= y. Here are some gory detail of the libreswan-kernel interaction: =3D> assign an inbound SPI (192.1.2.23 -> 192.1.2.45) to send to the peer: | sending pfkeyv2_get_ipsec_spi: | sadb_msg @0x4fca65c9a10 version=3D2 type=3D1(SADB_GETSPI) errno=3D0 satype=3D3(SADB_SATYPE_ESP) len=3D12(96) reserved=3D0000 seq=3D4 pid=3D1124 | sadb_x_sa2 @0x4fca65c9a20 len=3D2(16) exttype=3D19(SADB_X_EXT_SA2) mode=3D0(any!?!) reserved1=3D00 reserved2=3D0000 sequence=3D0 reqid=3D16389 | sadb_address @0x4fca65c9a30 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D32 | 192.1.2.23:0 | sadb_address @0x4fca65c9a48 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D32 | 192.1.2.45:0 | sadb_spirange @0x4fca65c9a60 len=3D2(16) exttype=3D16(SADB_EXT_SPIRANGE) min=3D4096 max=3D4294967295 reserved=3D00000000 | read 80 bytes | pfkeyv2_get_ipsec_spi: | sadb_msg @0x4fca65b9a08 version=3D2 type=3D1(SADB_GETSPI) errno=3D0 satype=3D3(SADB_SATYPE_ESP) len=3D10(80) reserved=3D0000 seq=3D4 pid=3D1124 | sadb_sa @0x4fca65b9a18 len=3D2(16) exttype=3D1(SADB_EXT_SA) spi=3D2683487713(9ff2c5e1) replay=3D0 state=3D0(SADB_SASTATE_LARVAL) auth=3D0(SADB_AALG_NONE) encrypt=3D0 flags=3D0=3Dnone | sadb_address @0x4fca65b9a28 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D32 | 192.1.2.23:0 | sadb_address @0x4fca65b9a40 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D32 | 192.1.2.45:0 =3D> install outbound SA (192.1.2.45 -> 192.1.2.23): | sending pfkeyv2_add_sa: | sadb_msg @0x4fca65c8860 version=3D2 type=3D3(SADB_ADD) errno=3D0 satype=3D3(SADB_SATYPE_ESP) len=3D24(192) reserved=3D0000 seq=3D5 pid=3D1124 | sadb_sa @0x4fca65c8870 len=3D2(16) exttype=3D1(SADB_EXT_SA) spi=3D3169888898(bcf0aa82) replay=3D16 state=3D1(SADB_SASTATE_MATURE) auth=3D0(SADB_AALG_NONE) encrypt=3D20(SADB_X_EALG_AESGCM16) flags=3D0=3Dnone | sadb_x_sa2 @0x4fca65c8880 len=3D2(16) exttype=3D19(SADB_X_EXT_SA2) mode=3D0(any!?!) reserved1=3D00 reserved2=3D0000 sequence=3D0 reqid=3D16389 | sadb_address @0x4fca65c8890 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D32 | 192.1.2.45:0 | sadb_address @0x4fca65c88a8 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D32 | 192.1.2.23:0 | sadb_key @0x4fca65c88c0 len=3D4(32) exttype=3D9(SADB_EXT_KEY_ENCRYPT) b= its=3D160 reserved=3D0000 | sadb_lifetime @0x4fca65c88e0 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 | sadb_lifetime @0x4fca65c8900 len=3D4(32) exttype=3D4(SADB_EXT_LIFETIME_= SOFT) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 | read 160 bytes | pfkeyv2_add_sa: | sadb_msg @0x4fca65b8858 version=3D2 type=3D3(SADB_ADD) errno=3D0 satype=3D3(SADB_SATYPE_ESP) len=3D20(160) reserved=3D0000 seq=3D5 pid=3D1124 | sadb_sa @0x4fca65b8868 len=3D2(16) exttype=3D1(SADB_EXT_SA) spi=3D3169888898(bcf0aa82) replay=3D16 state=3D1(SADB_SASTATE_MATURE) auth=3D0(SADB_AALG_NONE) encrypt=3D20(SADB_X_EALG_AESGCM16) flags=3D0=3Dnone | sadb_x_sa2 @0x4fca65b8878 len=3D2(16) exttype=3D19(SADB_X_EXT_SA2) mode=3D0(any!?!) reserved1=3D00 reserved2=3D0000 sequence=3D0 reqid=3D16389 | sadb_address @0x4fca65b8888 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D32 | 192.1.2.45:0 | sadb_address @0x4fca65b88a0 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D32 | 192.1.2.23:0 | sadb_lifetime @0x4fca65b88b8 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 | sadb_lifetime @0x4fca65b88d8 len=3D4(32) exttype=3D4(SADB_EXT_LIFETIME_= SOFT) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 =3D> install inbound SA (192.1.2.23 -> 192.1.2.45): | sending pfkeyv2_add_sa: | sadb_msg @0x4fca65c8860 version=3D2 type=3D2(SADB_UPDATE) errno=3D0 satype=3D3(SADB_SATYPE_ESP) len=3D24(192) reserved=3D0000 seq=3D6 pid=3D1124 | sadb_sa @0x4fca65c8870 len=3D2(16) exttype=3D1(SADB_EXT_SA) spi=3D2683487713(9ff2c5e1) replay=3D16 state=3D1(SADB_SASTATE_MATURE) auth=3D0(SADB_AALG_NONE) encrypt=3D20(SADB_X_EALG_AESGCM16) flags=3D0=3Dnone | sadb_x_sa2 @0x4fca65c8880 len=3D2(16) exttype=3D19(SADB_X_EXT_SA2) mode=3D0(any!?!) reserved1=3D00 reserved2=3D0000 sequence=3D0 reqid=3D16389 | sadb_address @0x4fca65c8890 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D32 | 192.1.2.23:0 | sadb_address @0x4fca65c88a8 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D32 | 192.1.2.45:0 | sadb_key @0x4fca65c88c0 len=3D4(32) exttype=3D9(SADB_EXT_KEY_ENCRYPT) b= its=3D160 reserved=3D0000 | sadb_lifetime @0x4fca65c88e0 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 | sadb_lifetime @0x4fca65c8900 len=3D4(32) exttype=3D4(SADB_EXT_LIFETIME_= SOFT) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 | read 160 bytes | pfkeyv2_add_sa: | sadb_msg @0x4fca65b8858 version=3D2 type=3D2(SADB_UPDATE) errno=3D0 satype=3D3(SADB_SATYPE_ESP) len=3D20(160) reserved=3D0000 seq=3D6 pid=3D1124 | sadb_sa @0x4fca65b8868 len=3D2(16) exttype=3D1(SADB_EXT_SA) spi=3D2683487713(9ff2c5e1) replay=3D16 state=3D1(SADB_SASTATE_MATURE) auth=3D0(SADB_AALG_NONE) encrypt=3D20(SADB_X_EALG_AESGCM16) flags=3D0=3Dnone | sadb_x_sa2 @0x4fca65b8878 len=3D2(16) exttype=3D19(SADB_X_EXT_SA2) mode=3D0(any!?!) reserved1=3D00 reserved2=3D0000 sequence=3D0 reqid=3D16389 | sadb_address @0x4fca65b8888 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D32 | 192.1.2.23:0 | sadb_address @0x4fca65b88a0 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D32 | 192.1.2.45:0 | sadb_lifetime @0x4fca65b88b8 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 | sadb_lifetime @0x4fca65b88d8 len=3D4(32) exttype=3D4(SADB_EXT_LIFETIME_= SOFT) allocations=3D0 bytes=3D0 addtime=3D28800 usetime=3D0 =3D> install inbound policy: | sending kernel_pfkeyv2_policy_add: | sadb_msg @0x4fca65c8fa0 version=3D2 type=3D14(SADB_X_SPDADD) errno=3D0 satype=3D0(SADB_SATYPE_UNSPEC) len=3D19(152) reserved=3D0000 seq=3D7 pid=3D= 1124 | sadb_address @0x4fca65c8fb0 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D24 | 192.0.2.0:0 | sadb_address @0x4fca65c8fc8 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D24 | 192.0.1.0:0 | sadb_lifetime @0x4fca65c8fe0 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D0 usetime=3D0 | sadb_x_policy @0x4fca65c9000 len=3D7(56) exttype=3D18(SADB_X_EXT_POLICY) type=3D2(IPSEC_POLICY_IPSEC) dir=3D1(IPSEC_DIR_INBOUND) scope=3D0 id=3D0 priority=3D1757393 | sadb_x_ipsecrequest @0x4fca65c9010 len=3D40(40) proto=3D50(IPSEC_PROTO= _ESP) mode=3D2(IPSEC_MODE_TUNNEL) level=3D2(IPSEC_LEVEL_REQUIRE) reqid=3D0 | 192.1.2.23:0 | 192.1.2.45:0 | read 152 bytes | kernel_pfkeyv2_policy_add: | sadb_msg @0x4fca65b8f98 version=3D2 type=3D14(SADB_X_SPDADD) errno=3D0 satype=3D0(SADB_SATYPE_UNSPEC) len=3D19(152) reserved=3D0000 seq=3D7 pid=3D= 1124 | sadb_x_policy @0x4fca65b8fa8 len=3D7(56) exttype=3D18(SADB_X_EXT_POLICY) type=3D2(IPSEC_POLICY_IPSEC) dir=3D1(IPSEC_DIR_INBOUND) scope=3D0 id=3D1 priority=3D1757393 | sadb_x_ipsecrequest @0x4fca65b8fb8 len=3D40(40) proto=3D50(IPSEC_PROTO= _ESP) mode=3D2(IPSEC_MODE_TUNNEL) level=3D2(IPSEC_LEVEL_REQUIRE) reqid=3D0 | 192.1.2.23:0 | 192.1.2.45:0 | sadb_lifetime @0x4fca65b8fe0 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D0 usetime=3D0 | sadb_address @0x4fca65b9000 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D24 | 192.0.2.0:0 | sadb_address @0x4fca65b9018 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D24 | 192.0.1.0:0 =3D> install outbound policy: | sending kernel_pfkeyv2_policy_add: | sadb_msg @0x4fca65c9080 version=3D2 type=3D14(SADB_X_SPDADD) errno=3D0 satype=3D0(SADB_SATYPE_UNSPEC) len=3D19(152) reserved=3D0000 seq=3D8 pid=3D= 1124 | sadb_address @0x4fca65c9090 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D24 | 192.0.1.0:0 | sadb_address @0x4fca65c90a8 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D24 | 192.0.2.0:0 | sadb_lifetime @0x4fca65c90c0 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D0 usetime=3D0 | sadb_x_policy @0x4fca65c90e0 len=3D7(56) exttype=3D18(SADB_X_EXT_POLICY) type=3D2(IPSEC_POLICY_IPSEC) dir=3D2(IPSEC_DIR_OUTBOUND) scope=3D0 id=3D0 priority=3D1757393 | sadb_x_ipsecrequest @0x4fca65c90f0 len=3D40(40) proto=3D50(IPSEC_PROTO= _ESP) mode=3D2(IPSEC_MODE_TUNNEL) level=3D2(IPSEC_LEVEL_REQUIRE) reqid=3D0 | 192.1.2.45:0 | 192.1.2.23:0 | read 152 bytes | kernel_pfkeyv2_policy_add: | sadb_msg @0x4fca65b9078 version=3D2 type=3D14(SADB_X_SPDADD) errno=3D0 satype=3D0(SADB_SATYPE_UNSPEC) len=3D19(152) reserved=3D0000 seq=3D8 pid=3D= 1124 | sadb_x_policy @0x4fca65b9088 len=3D7(56) exttype=3D18(SADB_X_EXT_POLICY) type=3D2(IPSEC_POLICY_IPSEC) dir=3D2(IPSEC_DIR_OUTBOUND) scope=3D0 id=3D2 priority=3D1757393 | sadb_x_ipsecrequest @0x4fca65b9098 len=3D40(40) proto=3D50(IPSEC_PROTO= _ESP) mode=3D2(IPSEC_MODE_TUNNEL) level=3D2(IPSEC_LEVEL_REQUIRE) reqid=3D0 | 192.1.2.45:0 | 192.1.2.23:0 | sadb_lifetime @0x4fca65b90c0 len=3D4(32) exttype=3D3(SADB_EXT_LIFETIME_= HARD) allocations=3D0 bytes=3D0 addtime=3D0 usetime=3D0 | sadb_address @0x4fca65b90e0 len=3D3(24) exttype=3D5(SADB_EXT_ADDRESS_SR= C) proto=3D255 prefixlen=3D24 | 192.0.1.0:0 | sadb_address @0x4fca65b90f8 len=3D3(24) exttype=3D6(SADB_EXT_ADDRESS_DS= T) proto=3D255 prefixlen=3D24 | 192.0.2.0:0 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273533-227>