Date: Tue, 23 Jun 2009 10:18:46 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Chris Buechler <cmb@pfsense.org> Cc: freebsd-net@FreeBSD.org Subject: Re: IPsec crash, patch for review Message-ID: <20090623081845.GA68752@zeninc.net> In-Reply-To: <4A3D7885.9010809@pfsense.org> References: <20090619130040.GA53996@zeninc.net> <4A3D7885.9010809@pfsense.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 20, 2009 at 08:02:13PM -0400, Chris Buechler wrote: > VANHULLEBUS Yvan wrote: > Hi, Hi. [...] > We tried this patch on 7.2 (with patch-natt-7.2-2009-05-12.diff from > your ~) due to a seemingly similar problem, but IPsec stops working with > the patch applied. Using test setup: > > Host A -- fwA -- fwB -- Host B > > where fwA has the patch and fwB is the same 7.2 minus this patch, and > there is an IPsec connection between fwA and fwB. It brings up the > connection no problem, and if I leave a constant ping going, every time > I restart racoon on fwA I get exactly one response through. Bjoern reported me that the actual patch will break things on IPv6 (another patch will be posted soon which should solve this problem), are you in a full IPv4 world, ordo you have some IPv6 + IPsec configuration ? > From tcpdump on enc0 on both ends and the actual NICs, I see that > traffic from Host B to Host A gets all the way through the tunnel to > Host A, it responds, the response is seen on fwA's LAN port, but it > doesn't hit enc0. Traffic from Host A to Host B is seen on the LAN port > of fwA, but not on enc0 and not on enc0 of the remote side. > > Replace the kernel on fwA with one minus the patch and it works fine > (except it will spontaneously reboot under high load). > > That's with patch-xform_freespfix-3. Should that work with 7.2 in > combination with the NAT-T patch? It applies cleanly. Pathc has been done against TRUNK, but it is probably exactly the same for 7.2. And yes, we're using it in combination with NAT-T patch. Can you test again with an INVARIANT kernel, which (I hope) will raise any locking issue ? Thanks for the report, Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090623081845.GA68752>