From asu@guinness.syncrontech.com  Mon May 16 07:03:01 2005
Return-Path: <asu@guinness.syncrontech.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D5C7C16A4EF
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 May 2005 07:03:01 +0000 (GMT)
Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F172C43DA8
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 May 2005 07:02:57 +0000 (GMT)
	(envelope-from asu@guinness.syncrontech.com)
Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])
	by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j4G72tGH041231
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 May 2005 10:02:56 +0300 (EEST)
	(envelope-from asu@guinness.syncrontech.com)
Received: from guinness.syncrontech.com (localhost [127.0.0.1])
	by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j4G72oph073301
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 16 May 2005 10:02:50 +0300 (EEST)
	(envelope-from asu@guinness.syncrontech.com)
Received: (from asu@localhost)
	by guinness.syncrontech.com (8.12.11/8.12.11/Submit) id j4G72o2M073300;
	Mon, 16 May 2005 10:02:50 +0300 (EEST)
	(envelope-from asu)
Message-Id: <200505160702.j4G72o2M073300@guinness.syncrontech.com>
Date: Mon, 16 May 2005 10:02:50 +0300 (EEST)
From: Ari Suutari <ari@suutari.iki.fi>
Reply-To: Ari Suutari <ari@suutari.iki.fi>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPsec connection stops working if associated network interface goes down and then up again.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         81095
>Category:       kern
>Synopsis:       IPsec connection stops working if associated network interface goes down and then up again.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-net
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 16 07:10:02 GMT 2005
>Closed-Date:    
>Last-Modified:  Tue Jun 15 17:35:00 UTC 2010
>Originator:     Ari Suutari
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
FreeBSD poison2.syncrontech.com 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri May 13 09:13:34 EEST 2005     root@poison2.syncrontech.com:/usr/src/sys/i386/compile/POISON  i386

>Description:

IPsec VPN tunnel stops working after associated network interface
goes down and then back up again (which can happen with 
networks using tun device, for example). When the network interface
goes down, IPsec stack updates it's cached route to use system default
route. However, when the interface comes back again the cached
route is not updated to use that interface again.

>How-To-Repeat:

Create a setup of 3 machines:

A: "remote server"
B: IPsec VPN server, use 5.4-RELEASE here
C: "local workstation"

Build a network between A and B which uses tun device (ppp or vtund).
Set up racoon and ipsec policies so that traffic from C to A is
transmitted via VPN tunnel. Start pinging A from C. Cause somekind of
problems between A and B which causes the tun device to go down.
Fix the temporary problem. Although the tun device goes now up,
the vpn never recovers and ping doesn't work any more.

>Fix:

Somehow updated or invalidate sa_route field (updated at least
in netinet6/ipsec.c now) when routing table changes. As a temporary
workaround, I have modified ipsec.c so that it always calls
rtalloc to ensure valid route.


>Release-Note:
>Audit-Trail:

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Ari Suutari <ari@suutari.iki.fi>
Cc: FreeBSD-gnats-submit@FreeBSD.org, andre@FreeBSD.org
Subject: Re: kern/81095: IPsec connection stops working if associated network interface goes down and then up again.
Date: Mon, 23 May 2005 18:14:28 +0400

   Ari,
 
 On Mon, May 16, 2005 at 10:02:50AM +0300, Ari Suutari wrote:
 A> >Number:         81095
 A> >Category:       kern
 A> >Synopsis:       IPsec connection stops working if associated network interface goes down and then up again.
 [skip]
 A> >Fix:
 A> 
 A> Somehow updated or invalidate sa_route field (updated at least
 A> in netinet6/ipsec.c now) when routing table changes. As a temporary
 A> workaround, I have modified ipsec.c so that it always calls
 A> rtalloc to ensure valid route.
 
 can you please polish your patch and submit it as follow-up to PR?
 There plans to remove route caching.
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Ari Suutari <ari@suutari.iki.fi>
To: Gleb Smirnoff <glebius@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org, andre@FreeBSD.org
Subject: Re: kern/81095: IPsec connection stops working if associated network
 interface goes down and then up again.
Date: Tue, 24 May 2005 08:39:09 +0300

 Hi,
 
 Gleb Smirnoff wrote:
  > can you please polish your patch and submit it as follow-up to PR?
  > There plans to remove route caching.
 
 Here it is. I would consider it only a workaround, since it just
 frees any cached route causing new lookup done every time.
 It covers only IPv4 case as I don't have IPv6 in my vpn box
 right now.
 
 I'm keeping my test environment in VmWare so I can easily
 test things if someone is going to work on this.
 
 
 *** ipsec.c.orig	Tue May 24 08:31:09 2005
 --- ipsec.c	Tue May 24 08:31:47 2005
 ***************
 *** 2713,2721 ****
    			state->ro = &isr->sav->sah->sa_route;
    			state->dst = (struct sockaddr *)&state->ro->ro_dst;
    			dst4 = (struct sockaddr_in *)state->dst;
 ! 			if (state->ro->ro_rt
 ! 			 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
 ! 			  || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
    				RTFREE(state->ro->ro_rt);
    				state->ro->ro_rt = NULL;
    			}
 --- 2713,2719 ----
    			state->ro = &isr->sav->sah->sa_route;
    			state->dst = (struct sockaddr *)&state->ro->ro_dst;
    			dst4 = (struct sockaddr_in *)state->dst;
 ! 			if (state->ro->ro_rt) {
    				RTFREE(state->ro->ro_rt);
    				state->ro->ro_rt = NULL;
    			}
 
 
 	Ari S.
Responsible-Changed-From-To: freebsd-bugs->gnn 
Responsible-Changed-By: gnn 
Responsible-Changed-When: Sun Nov 12 09:53:09 UTC 2006 
Responsible-Changed-Why:  
Lookin at IPsec related bugs. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=81095 
Responsible-Changed-From-To: gnn->freebsd-net 
Responsible-Changed-By: gnn 
Responsible-Changed-When: Tue Jun 15 17:34:03 UTC 2010 
Responsible-Changed-Why:  
This is probably not longer valid given the changes in our 
IPSec stack over the last 4 years.  People are welcome to 
retest/resubmit. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=81095 
>Unformatted:
