Date: Sun, 11 May 2008 16:02:11 +0800 (KRAST) From: Eugene Grosbein <eugen@grosbein.pp.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/123587: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for RELENG_6) Message-ID: <200805110802.m4B82BSl002163@grosbein.pp.ru> Resent-Message-ID: <200805110810.m4B8A0FZ088269@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 123587 >Category: kern >Synopsis: [ipsec] IPCOMP broken in IPSEC (FAST_IPSEC for RELENG_6) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 11 08:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eugene Grosbein >Release: FreeBSD 7.0-STABLE i386 >Organization: Svyaz-Service JSC >Environment: System: FreeBSD grosbein.pp.ru 7.0-STABLE FreeBSD 7.0-STABLE #5: Sat May 3 17:45:36 KRAST 2008 eu@grosbein.pp.ru:/usr/local/obj/usr/local/obj/src/sys/DADV i386 >Description: In RELENG_6, old-fashoned IPSEC implementation works nice with IPCOMP protocol used to compress traffic. IPCOMP fails to work in both of RELENG_7 and RELENG_6 with FAST_IPSEC. >How-To-Repeat: Let's take two FreeBSD boxes, one is 10.58.0.11/24, other is 10.58.0.22/24. Without IPSEC policy loaded, they ping each other without a problem Here is /etc/ipsec.conf for IPSEC transport mode, static keys: flush; spdflush; add 10.58.0.22 10.58.0.11 ipcomp 1111 -C deflate; add 10.58.0.22 10.58.0.11 esp 1111 -m transport -E blowfish-cbc "xxxxxxxx"; add 10.58.0.11 10.58.0.22 ipcomp 2111 -C deflate; add 10.58.0.11 10.58.0.22 esp 2111 -m transport -E blowfish-cbc "yyyyyyyy"; spdadd 10.58.0.22/32 10.58.0.11/32 any -P out ipsec ipcomp/transport//require esp/transport//require; spdadd 10.58.0.11/32 10.58.0.22/32 any -P in ipsec ipcomp/transport//require esp/transport//require; After 'setkey -f /etc/ipsec.conf', ping 10.58.0.22 says: ping: sendto: No route to host The problem disappears if we remove remove 'ipcomp/transport//require', disabling IPCOMP completly. The problem does not exists for RELENG_6 with old "options IPSEC/IPSEC_ESP" in a kernel. >Fix: Unknown. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805110802.m4B82BSl002163>