From nobody@FreeBSD.org  Tue Jan 13 11:11:24 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F055F16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 13 Jan 2004 11:11:24 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B72443D69
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 13 Jan 2004 11:11:04 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i0DJB4dL066313
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 13 Jan 2004 11:11:04 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i0DJB4hL066312;
	Tue, 13 Jan 2004 11:11:04 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200401131911.i0DJB4hL066312@www.freebsd.org>
Date: Tue, 13 Jan 2004 11:11:04 -0800 (PST)
From: Dierk Sacher <usenet@blaxxtarz.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: KAME IPSEC broken, IKE not excluded from policy, crashes
X-Send-Pr-Version: www-2.0

>Number:         61323
>Category:       kern
>Synopsis:       KAME IPSEC broken, IKE not excluded from policy, crashes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 13 11:20:08 PST 2004
>Closed-Date:    Tue Mar 30 09:51:19 PST 2004
>Last-Modified:  Tue Mar 30 09:51:19 PST 2004
>Originator:     Dierk Sacher
>Release:        5.2-RELEASE
>Organization:
DSITC
>Environment:
FreeBSD luxxor 5.2-RELEASE FreeBSD 5.2-RELEASE #1: Tue Jan 13 14:43:58 CET 2004 root@luxxor:/usr/obj/usr/src/sys/LUXXOR i386
>Description:
IPSEC not working with automatic keying. No ISAKMP packet happens to leave the machine after the spd is setup. After a while the machine goes down with a panic or just hangs.

Problem is exactly as already described by
http://lists.freebsd.org/pipermail/freebsd-current/2003-December/016939.html

>How-To-Repeat:
a) build Kernel with
  options IPSEC
  options IPSEC_ESP

b) setup racoon for automatic key exchange
c) setup policy like (esp tunnel)
  spdadd 192.168.1.1/32 0.0.0.0/0 any -P out ipsec 
    esp/tunnel/192.168.1.1-192.168.1.254/require;
  spdadd 0.0.0.0/0 192.168.1.1/0 any -P in ipsec 
    esp/tunnel/192.168.1.1-192.168.1.254/require;

Now, ping the gateway or some other machine. Watch tcpdump output at the gateway: no isakmp traffic at all from the broken 5.2-RELEASE box.

After a while, you may experience even a panic or it just hangs. May be you will have to call setkey -D -F for the crash to happen.




>Fix:
No known fix, but the isakmp traffic should not have been blocked.
A none policy for udp/500 does not work around the bug, it just crashes too
>Release-Note:
>Audit-Trail:

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: Dierk Sacher <usenet@blaxxtarz.de>
Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: kern/61323: KAME IPSEC broken, IKE not excluded from policy,
 crashes
Date: Tue, 13 Jan 2004 19:42:46 +0000 (UTC)

 On Tue, 13 Jan 2004, Dierk Sacher wrote:
 
 > >Fix:
 > No known fix, but the isakmp traffic should not have been blocked.
 > A none policy for udp/500 does not work around the bug, it just crashes too
 
 Can you please try the patches mentioned in
 http://lists.freebsd.org/pipermail/freebsd-current/2004-January/018084.html
 
 -- 
 Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
 56 69 73 69 74				http://www.zabbadoz.net/

From: Dierk Sacher <dierk@blaxxtarz.de>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: kern/61323: KAME IPSEC broken, IKE not excluded from policy, crashes
Date: Wed, 14 Jan 2004 00:57:31 +0100

 Zitiere Bjoern A. Zeeb vom Tue, Jan 13, 2004 at 07:42:46PM +0000:
 > On Tue, 13 Jan 2004, Dierk Sacher wrote:
 > 
 > > >Fix:
 > > No known fix, but the isakmp traffic should not have been blocked.
 > > A none policy for udp/500 does not work around the bug, it just crashes too
 > 
 > Can you please try the patches mentioned in
 > http://lists.freebsd.org/pipermail/freebsd-current/2004-January/018084.html
 
 Thank you for the pointer. I applied all the patches and from a lazy
 testing I'm able to confirm that the related crashes und panics are gone. 
 I'll continue to stress the whole setup over the next days and inform
 you, if there are any upcoming stability issues or the like.
 
 The handling of the IKE pakets is still broken. Beyond a now accepteable
 workaround, the "manual" handling of the IKE Traffic will lead us into a
 chicken-and-egg problem and should better be implemented the way its
 supposed to be.
 
 Said patches should be listed in the Fix Section of the PR. (My job? No
 experience with PRs so far).
 
 	Gruss
 	  Dierk Sacher
 
 -- 
 |----+----|----+----|----+----|----+----|----+----|----+----|----+----|--<
  GPG Fingerprint: D14C 12BB 37A6 6745 7F4F  F420 9E59 D79E A492 2A96
  GPG KeyID      : A4922A96  
 +------------------------------------------------------------------------+
Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: andre 
Responsible-Changed-When: Thu Jan 15 14:55:20 PST 2004 
Responsible-Changed-Why:  
Send over to UME.  He is working in this code area. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61323 
State-Changed-From-To: open->closed 
State-Changed-By: ume 
State-Changed-When: Tue Mar 30 09:48:04 PST 2004 
State-Changed-Why:  
It was fixed with following commits: 

src/sys/netinet/ip_output.c	1.205 
src/sys/netinet/raw_ip.c		1.125 
src/sys/netinet/tcp_input.c	1.221 
src/sys/netinet/tcp_output.c	1.85 
src/sys/netinet/udp_usrreq.c	1.146 
src/sys/netinet6/icmp6.c		1.51 
src/sys/netinet6/ip6_output.c	1.76 
src/sys/netinet6/ipsec.c		1.33 
src/sys/netinet6/ipsec.h		1.15 
src/sys/netinet6/ipsec6.h		1.8 
src/sys/netinet6/nd6_nbr.c	1.24 
src/sys/netinet6/raw_ip6.c	1.37 
src/sys/netinet6/udp6_output.c	1.16 
src/sys/netinet6/udp6_usrreq.c	1.41 

The originator confirmed the fix. 
Thank you for reporting it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=61323 
>Unformatted:
