Subject: Racoon (or UVM?) problem with -current
To: None <>
From: Paul Dokas <>
List: current-users
Date: 01/14/2002 12:29:04
I had a rather strange panic on Friday night.  My work x86 -current
(128.101.AAA.BBB) machine paniced while I was attempting to create
an IPSec session between it and my X86 -current home machine (66.41.CCC.DDD).

I have racoon running on both ends in a rather standard configuration
with certificates to authenticate the peers.  The only difference is that
on my work machine I wanted it to be an end point only and to automatically
generate the policy:

  remote anonymous
        exchange_mode main,aggressive,base;

        doi ipsec_doi;
        situation identity_only;

        my_identifier asn1dn;
        certificate_type x509 "foo.crt" "foo.prv";

        lifetime time 96 hour;  # sec,min,hour

        initial_contact off;

        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group modp1536;

        # for clients with dynamic IPs
        generate_policy on;

The rest of racoon.conf is pretty much as you'll find it in

Here's the resulting racoon logs on my work machine:

  2002-01-11 22:54:40: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
  2002-01-11 22:54:40: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
  2002-01-11 22:54:41: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 128.101.AAA.BBB[500]-66.41.CCC.DDD[500] spi:226e2faf348ee356:c4a87206d6d4ee60
  2002-01-11 22:54:42: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: 128.101.AAA.BBB[0]<=>66.41.CCC.DDD[0]
  2002-01-11 22:54:42: INFO: isakmp_quick.c:2015:get_proposal_r(): no policy found, try to generate the policy : 66.41.CCC.DDD/32[0] 128.101.AAA.BBB/32[0] proto=any dir=in
  2002-01-11 22:54:43: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Transport 66.41.CCC.DDD->128.101.AAA.BBB spi=139916924(0x856f67c)
  2002-01-11 22:54:43: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Transport 128.101.AAA.BBB->66.41.CCC.DDD spi=267044780(0xfeac7ac)
  2002-01-11 22:54:43: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory
  2002-01-11 22:54:43: ERROR: pfkey.c:207:pfkey_handler(): pfkey X_SPDUPDATE failed: No such file or directory

And then it panic'd with this:

  uvm_fault(0xc6dd8df8, 0x0, 0, 3) -> e
  kernel: page fault trap, code=0
  Stopped in pid 13812 (gtar) at key_delsp+0x63: movl   %eax,       0(%edx)
  db> bt
  key_delsp(   ) at key_delsp+0x63
  key_freesp(   ) at key_freesp+0x57
  ipsec_invalpcbcache(   ) at ipsec_invalpcbcache+0x44
  gcc2_compiled.(   ) at gcc2_compiled.+0x46
  ipsec4_getpolicybysock(   ) at ipsec4_getpolicybysock+0x7e
  ipsec_hdrsiz(   ) at ipsec_hdrsiz+0x4c
  ipsec4_hdrsiz_tcp(   ) at ipsec4_hdrsiz_tcp+0x39
  tcp_output(   ) at tcp_output+0x1ca
  tcp_input(   ) at tcp_input+0x2ae9
  ip_input(   ) at ip_input+0x668
  ipintr(   ) at ipintr+0x6b
  Bad frame pointer:  0xc6e13fa0

Obviously a problem with appending the policy entries with racoon.  But it
should not have resulting in a panic...

Other important information:

  + I've got 2 static entries in /etc/ipsec.conf on my work machine (128.101.AAA.BBB):

      spdadd 128.101.AAA.BBB/32 128.101.EEE.FFF/32 any -P out ipsec esp/transport//require ah/transport//require;
      spdadd 128.101.EEE.FFF/32 128.101.AAA.BBB/32 any -P in ipsec esp/transport//require ah/transport//require;

  + at the time of the panic, amanda was backing up my work machine with gtar.

Paul Dokas                                  
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."