From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 18 04:08:20 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D7C0E94 for ; Mon, 18 Aug 2014 04:08:20 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DEFE33597 for ; Mon, 18 Aug 2014 04:08:19 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s7I48JX8035855 for ; Mon, 18 Aug 2014 04:08:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 192774] New: PF_KEY ACQUIRE missing port and protocol info Date: Mon, 18 Aug 2014 04:08:20 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: john@feith.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2014 04:08:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774 Bug ID: 192774 Summary: PF_KEY ACQUIRE missing port and protocol info Product: Base System Version: 10.0-STABLE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: john@feith.com Created attachment 145951 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=145951&action=edit patch for problem. Consider an IPSEC policy such as: spdadd 0.0.0.0/0 XXX.XXX.XXX.XXX/32[1701] udp -P out ipsec esp/transport//require; spdadd XXX.XXX.XXX.XXX/32[1701] 0.0.0.0/0 udp -P in ipsec esp/transport//require; When triggered it sends a PF_KEY ACQUIRE message that causes ISAKMP negotiations to occur with the remote. Unfortunately the key_acquire routine in sys/netipsec/key.c doesn't contain any code to propagate the port / protocol information as part of the ACQUIRE message ... as a result racoon sees an ACQUIRE message for all traffic to the remote system and supplies that as the proposal which fails since the remote system is only willing to protect L2TP with IPSEC ... not all traffic. Note that RFC 2367 3.1.6 SADB_ACQUIRE says: The address(SD) extensions MUST have the port fields filled in with the port numbers of the session requiring keys if appropriate. With the supplied patch I'm able to successfully establish a L2TP protected by IPSEC connection from FreeBSD 10-stable to a Cisco 3845 router. -- You are receiving this mail because: You are the assignee for the bug.