Date: Sun, 22 Apr 2001 05:15:33 +0000 From: Gunther Schadow <gunther@aurora.regenstrief.org> To: itojun@iijlab.net Cc: snap-users@kame.net, freebsd-net@freebsd.org Subject: Re: KAME SPD bug, please try and confirm ... Message-ID: <3AE268F5.B48CC2B2@aurora.regenstrief.org> References: <19829.987903074@itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
itojun@iijlab.net wrote:
> sorry that we did not make any useful responses, some of the kame guys
> (mainly sakane) are trying to repeat the symptom.
I appreciate that very much!
> i ran a small test with slightly different setup on both NetBSD
> 1.5.1_BETA and NetBSD 1.5 + KAME SNAP 2001042x, and the problem did
> not repeat.
Hmm, may be it's a matter of FreeBSD and does not occur with NetBSD?
> is the following description correct?
> - FreeBSD 4.2-RELEASE is not affected
yes, it is affected with kernel panic (under high loads only ...)
> - FreeBDS 4.2-RELEASE + KAME SNAP 200103xx has problem, but no kernel
> panic
right, shows the described problems but has no such kernel panics
> - FreeBSD 4.2-RELEASE + KAME SNAP 200104xx has problem, with kernel
> panic
actually I should test that. Will do tomorrow.
> if you can get a kernel stack trace on panic, it would be really useful.
I reported about the panic before (on FreeBSD's bugs) and the error was
at esp4_input ...
> i'm just guessing, but it seems that there could be some problem
> with your routing table setup. you are doing things like:
> >aip=10.10.10.1
> >bip=10.10.10.2
> >aipsec=10.99.10
> >bipsec=10.99.20
> >ifconfig ${if} inet alias ${aip} netmask 0xffffff00
> >ifconfig lo0 inet alias ${aipsec}.1 netmask 0xffffff00
> >route add -net ${bipsec}.0/24 ${aipsec}.1
> why do you need the routing setup, and why do you need the address
> ${aipsec}.1 onto the loopback interface? if you want to control the
> source address selection, you may need to use route -ifa settings
> instead.
I understood that I had to do this in order to get IPsec done
right in the first place. Many howto documents describe things like
that. Actually ...
> a network diagram would be very helpful here. I guess you are
> trying to configure single ethernet segment to have two IP subnet
> numbers (10.99.10.0/24 and 10.10.10.0/24 are on the same network
> interface, right?). I really don't recommend doing that. get an
> extra ethernet card or two and make the device a proper firewall
> router.
Sure, my real setup has two etherent cards (three even :-) On those
I have
ifcondig ${ifinside} ${aipsec}.1 netmask 0xffffff00
ifconfig ${ifoutside} ${aip} netmask 0xffffff00
The routing setup then goes like
route add -net ${bipsec}.0/24 ${aipsec}.1
just like above. So, the only thing I changed in my test scripts
was to replace ${ifinside} with lo0, and I did this so that people could
more easily reproduce the problem without requiring two cards (this
other "alias" I use in the ifconfig for ${aip} is so that people
would not lose their normal IP configuration when running the test.)
There was no difference for me if I used lo0 or a real interface or
if I configured with or without IP aliases.
The network diagram is the same as last time:
${aipsec}.0/24 ${aip} ${bip} ${bipsec}.0/24
...-----------GATEWAY-0---+------//--------GATEWAY-1-------------...
|
| ${cip} ${cipsec}.0/24
+------//--------GATEWAY-2-------------...
|
.
.
.
Thank you,
-Gunther
--
Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org
Medical Information Scientist Regenstrief Institute for Health Care
Adjunct Assistent Professor Indiana University School of Medicine
tel:1(317)630-7960 http://aurora.regenstrief.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE268F5.B48CC2B2>