Subject: Racoon (or UVM?) problem with -current
To: None <current-users@netbsd.org>
From: Paul Dokas <dokas@cs.umn.edu>
List: current-users
Date: 01/14/2002 12:29:04
I had a rather strange panic on Friday night. My work x86 -current
(128.101.AAA.BBB) machine paniced while I was attempting to create
an IPSec session between it and my X86 -current home machine (66.41.CCC.DDD).
I have racoon running on both ends in a rather standard configuration
with certificates to authenticate the peers. The only difference is that
on my work machine I wanted it to be an end point only and to automatically
generate the policy:
remote anonymous
{
exchange_mode main,aggressive,base;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "foo.crt" "foo.prv";
lifetime time 96 hour; # sec,min,hour
initial_contact off;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1536;
}
# for clients with dynamic IPs
generate_policy on;
}
The rest of racoon.conf is pretty much as you'll find it in
/usr/share/examples/racoon/racoon.conf.sample
Here's the resulting racoon logs on my work machine:
2002-01-11 22:54:40: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
2002-01-11 22:54:40: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
2002-01-11 22:54:41: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 128.101.AAA.BBB[500]-66.41.CCC.DDD[500] spi:226e2faf348ee356:c4a87206d6d4ee60
2002-01-11 22:54:42: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: 128.101.AAA.BBB[0]<=>66.41.CCC.DDD[0]
2002-01-11 22:54:42: INFO: isakmp_quick.c:2015:get_proposal_r(): no policy found, try to generate the policy : 66.41.CCC.DDD/32[0] 128.101.AAA.BBB/32[0] proto=any dir=in
2002-01-11 22:54:43: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Transport 66.41.CCC.DDD->128.101.AAA.BBB spi=139916924(0x856f67c)
2002-01-11 22:54:43: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Transport 128.101.AAA.BBB->66.41.CCC.DDD spi=267044780(0xfeac7ac)
2002-01-11 22:54:43: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory
2002-01-11 22:54:43: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory
And then it panic'd with this:
uvm_fault(0xc6dd8df8, 0x0, 0, 3) -> e
kernel: page fault trap, code=0
Stopped in pid 13812 (gtar) at key_delsp+0x63: movl %eax, 0(%edx)
db> bt
key_delsp( ) at key_delsp+0x63
key_freesp( ) at key_freesp+0x57
ipsec_invalpcbcache( ) at ipsec_invalpcbcache+0x44
gcc2_compiled.( ) at gcc2_compiled.+0x46
ipsec4_getpolicybysock( ) at ipsec4_getpolicybysock+0x7e
ipsec_hdrsiz( ) at ipsec_hdrsiz+0x4c
ipsec4_hdrsiz_tcp( ) at ipsec4_hdrsiz_tcp+0x39
tcp_output( ) at tcp_output+0x1ca
tcp_input( ) at tcp_input+0x2ae9
ip_input( ) at ip_input+0x668
ipintr( ) at ipintr+0x6b
Bad frame pointer: 0xc6e13fa0
Obviously a problem with appending the policy entries with racoon. But it
should not have resulting in a panic...
Other important information:
+ I've got 2 static entries in /etc/ipsec.conf on my work machine (128.101.AAA.BBB):
spdadd 128.101.AAA.BBB/32 128.101.EEE.FFF/32 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 128.101.EEE.FFF/32 128.101.AAA.BBB/32 any -P in ipsec esp/transport//require ah/transport//require;
+ at the time of the panic, amanda was backing up my work machine with gtar.
Paul
--
Paul Dokas dokas@cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."