From nobody@FreeBSD.org  Mon Apr 12 15:54:33 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 03B8516A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Apr 2004 15:54:33 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F1D2F43D41
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Apr 2004 15:54:32 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i3CMsW72004063
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Apr 2004 15:54:32 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i3CMsWEi004062;
	Mon, 12 Apr 2004 15:54:32 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200404122254.i3CMsWEi004062@www.freebsd.org>
Date: Mon, 12 Apr 2004 15:54:32 -0700 (PDT)
From: Timothy Ham <tham@nth-order.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPSEC filters outbound ISAKMP traffic  and IPSEC negotiation fails.
X-Send-Pr-Version: www-2.3

>Number:         65474
>Category:       kern
>Synopsis:       IPSEC filters outbound ISAKMP traffic  and IPSEC negotiation fails.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 12 16:00:45 PDT 2004
>Closed-Date:    Tue Jun 22 16:57:46 GMT 2004
>Last-Modified:  Tue Jun 22 16:57:46 GMT 2004
>Originator:     Timothy Ham
>Release:        5.2.1-RELEASE-p3
>Organization:
>Environment:
FreeBSD atta.nth-order.com 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #1: Sat Mar 20 18:50:16 PST 2004     tham@atta.nth-order.com:/usr/obj/usr/src/sys/ATTAB  i386
      
>Description:
ISAKMP traffic on port 500 which should not be affected by IPSEC policy is, and only on the outbound side.  During key negotiations, the kernel should allow unencrypted key-exachange packets on port 500 between the hosts.  Even with the "require" policy, these packets should be allowed to go through (initial key exchange must occur in the clear).  In FreeBSD version 5.1 the kernel performs the correct behavior.  Since 5.2-Release, and subsequenent patches (up to 5.2.1-p3) the kernel silently drops outgoing key-exchange packets, and *only* the outgoing packets, and thus IPSEC negotiation fails.
>How-To-Repeat:
Set up IPSEC between two machines (IPSEC in the kernel, running Racoon)
Set up a tunnel between them, using esp and the "use" policy on both.
Monitor racoon debug output and tcpdump.

With the "use" policy, the key negotiations should take place and ipsec negotiations will succeed.  

Change the tunnel setting on one of the machine and change the policy to "require".

Now, racoon and tcpdump will should that the machine with "use" policy (call it machine A) sends out the proper request.  When the machine with the "require" policy (call it machine B) responds, racoon on B will show that it is replying to machine A's key-exchange request with its own response, but tcpdump will show no packets from machine B.  Consequently machine A will fail IPSEC negotiations complaining it did not receive any response from B.
>Fix:
Un-safe workaround: instead of "require" policy, use "use".  
>Release-Note:
>Audit-Trail:

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: Timothy Ham <tham@nth-order.com>
Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: kern/65474: IPSEC filters outbound ISAKMP traffic  and IPSEC
 negotiation fails.
Date: Tue, 13 Apr 2004 04:49:36 +0000 (UTC)

 On Mon, 12 Apr 2004, Timothy Ham wrote:
 
 > >Number:         65474
 > >Category:       kern
 >
 > >Fix:
 > Un-safe workaround: instead of "require" policy, use "use".
 
 exclude IKE traffic from your policy before your other rules
 is a better workaround I think because you can still use /require for
 the other rules then.
 
 Please see the end of follwoing thread how to do the above
 and in which revisions your problem got fixed by Hajimu Umemoto.
 
 http://lists.freebsd.org/pipermail/freebsd-net/2004-March/003542.html
 
 -- 
 Greetings
 
 Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
 56 69 73 69 74				http://www.zabbadoz.net/
State-Changed-From-To: open->closed 
State-Changed-By: bms 
State-Changed-When: Tue Jun 22 16:57:28 GMT 2004 
State-Changed-Why:  
fixed by ume@ in -CURRENT 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65474 
>Unformatted:
