Date: Mon, 18 Aug 2014 04:08:20 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 192774] New: PF_KEY ACQUIRE missing port and protocol info Message-ID: <bug-192774-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774 Bug ID: 192774 Summary: PF_KEY ACQUIRE missing port and protocol info Product: Base System Version: 10.0-STABLE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: john@feith.com Created attachment 145951 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=145951&action=edit patch for problem. Consider an IPSEC policy such as: spdadd 0.0.0.0/0 XXX.XXX.XXX.XXX/32[1701] udp -P out ipsec esp/transport//require; spdadd XXX.XXX.XXX.XXX/32[1701] 0.0.0.0/0 udp -P in ipsec esp/transport//require; When triggered it sends a PF_KEY ACQUIRE message that causes ISAKMP negotiations to occur with the remote. Unfortunately the key_acquire routine in sys/netipsec/key.c doesn't contain any code to propagate the port / protocol information as part of the ACQUIRE message ... as a result racoon sees an ACQUIRE message for all traffic to the remote system and supplies that as the proposal which fails since the remote system is only willing to protect L2TP with IPSEC ... not all traffic. Note that RFC 2367 3.1.6 SADB_ACQUIRE says: The address(SD) extensions MUST have the port fields filled in with the port numbers of the session requiring keys if appropriate. With the supplied patch I'm able to successfully establish a L2TP protected by IPSEC connection from FreeBSD 10-stable to a Cisco 3845 router. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-192774-8>