Date: Thu, 22 Feb 2018 11:10:54 +0400 From: Misak Khachatryan <kmisak@gmail.com> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Eugene Grosbein <eugen@grosbein.net>, freebsd-net@freebsd.org Subject: Re: Racoon and setkey problems Message-ID: <CABfKv0mavVUqFsecAAa6-6RjzfBQ9qoGp7sUw8EEyXEkVQ5Onw@mail.gmail.com> In-Reply-To: <5e13deb9-0d83-5f43-195c-f6797ed36a7b@yandex.ru> References: <CABfKv0mYX2ouQ1k6M2Bd90yp=eQXP6HcHL7%2BdE2AZQ9afQ%2Bc2g@mail.gmail.com> <5A8A97EC.4040103@grosbein.net> <CABfKv0ntGt6TCP7v9xa=MSSZqHwYbZtYtVd6s0gZ-Mbdu2qk5A@mail.gmail.com> <16e6d695-6961-bc17-6ff0-e2affcd5df3b@yandex.ru> <CABfKv0kvTLJjv7F6y7DTXxE-oXspOHTJti%2Bj0Ftqv5xVpqQQRQ@mail.gmail.com> <5A8BB836.2010501@grosbein.net> <5e13deb9-0d83-5f43-195c-f6797ed36a7b@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello there, just a quick feedback. I've added rules to my ipfw to block all isakmp ports on interfaces not involved in ipsec and rebooted 3 of 4 machines. Situation returned to normal on them, but rebooting fourth host is very painful. It seems i have some kind of massive ipsec probes from botnet which fills all my SAD and SPD entries or PFKEY sockets. All i need is to flush all SAD and SDP entries, but setkey can't do that. Is there any other way? Best regards, Misak Khachatryan On Tue, Feb 20, 2018 at 4:47 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: > On 20.02.2018 08:55, Eugene Grosbein wrote: >>> yes, all output is from same machine. I'll recheck all configs again, >>> or, if it's OK, I can post them here. The most confusing thing is that >>> everything worked as a charm several years. And nothing changed in >>> configurations until logs stars to fill up with these messages and i >>> tried to play with some settings to troubleshoot. >> >> You may be suffering from some kind of massive IPSEC-scanning bots activity >> that try to expoit IPSEC-related bugs and trigger some memory leak. >> >> You should really try 11.1. > > 11.1-RELEASE had several bugs in new IPsec code, that were fixed in > stable/11 branch. So, if you want to try, I recommend to use stable/11. > Also there is very little chance that some problem will be fixed in 10.x > branch. > > -- > WBR, Andrey V. Elsukov >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABfKv0mavVUqFsecAAa6-6RjzfBQ9qoGp7sUw8EEyXEkVQ5Onw>