Subject: bin/30437: recent NATT changes breaks racoon
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <jeffi@rcn.com>
List: netbsd-bugs
Date: 06/05/2005 23:57:00 
>Number:         30437
>Category:       bin
>Synopsis:       recent NATT changes breaks racoon
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 05 23:57:00 +0000 2005
>Originator:     Jeff Ito
>Release:        NetBSD 3.99.5
>Organization:
>Environment:
NetBSD lab 3.99.5 NetBSD 3.99.5 (LAB) #1: Sat May 28 22:39:26 EDT 2005
>Description:
Recent changes in ipsec-tool's racoon causes ipsec failures.

The errors are:

/netbsd: key_update: no SA index found.                                     
racoon: ERROR: pfkey UPDATE failed: No such file or directory

Testing has shown that racoon checked out 20050419 works, however 20050420 does not, rolling individual commits forward from 20050419 to 20050420 has shown that the commit in question relates to isakmp_inf.c

Index: isakmp_inf.c
===================================================================
RCS file: /export/cvs/netbsd/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v
retrieving revision 1.1.1.3
retrieving revision 1.2
diff -u -r1.1.1.3 -r1.2
--- isakmp_inf.c        14 Mar 2005 08:14:30 -0000      1.1.1.3
+++ isakmp_inf.c        19 Apr 2005 19:42:09 -0000      1.2
@@ -1,4 +1,4 @@
-/*     $NetBSD$        */
+/*     $NetBSD: isakmp_inf.c,v 1.1.1.3 2005/03/14 08:14:30 manu Exp $  */
 
 /* Id: isakmp_inf.c,v 1.14.4.2 2005/03/02 20:00:03 vanhu Exp */
 
@@ -1028,7 +1028,7 @@
                        if (iph2) {
                                /* Delete the SPD entry if we generated
it
                                 */
-                               if (iph2->ph1 && iph2->ph1->rmconf && iph2->ph1->rmconf->gen_policy) {
+                               if (iph2->generated_spidx) {
                                        struct policyindex spidx;
                                        struct sockaddr_storage addr;
                                        u_int8_t pref;


However, this code does not exist in the -current sources.
>How-To-Repeat:
Setup ipsec using tunnel or ransport mode and racoon.  natt is not in use.

i.e.

spdadd 10.1.1.4/32 10.1.1.5/32 any -P in ipsec esp/transport//require;
spdadd 10.1.1.5/32 10.1.1.4/32 any -P out ipsec esp/transport//require;

These configurations work prior to the above mentioned commits.




>Fix:
not known.