Subject: bin/28922: racoon leaves old SA's in kernel
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Kimmo Suominen <kim@tac.nyc.ny.us>
List: netbsd-bugs
Date: 01/09/2005 18:24:01
>Number: 28922
>Category: bin
>Synopsis: racoon leaves old SA's in kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jan 09 18:24:00 +0000 2005
>Originator: Kimmo Suominen
>Release: NetBSD 2.99.10 (2004-11-04)
>Organization:
Kimmo Suominen
>Environment:
System: NetBSD stinky.astron.com 2.99.10 NetBSD 2.99.10 (GW-GENERIC) #79: Thu Nov 25 11:22:31 EST 2004 kim@hrothgar.gw.com:/usr/src/sys/arch/i386/compile/GW-GENERIC i386
Architecture: i386
Machine: i386
>Description:
Running "env - sh /etc/rc.d/ipsec reload" on one end of the tunnel (e.g.
to add policies for a new tunnel) removes all SA's and racoon will then
negotiate new ones.
On the other end, the kernel ends up with 2 sets of SA's -- the ones
from before the reload, and the newly negotiated ones. Apparently it
will continue to encrypt packets with the old SA's, which are no longer
accepted by the first end.
Below is the relevant "setkey -D" output from the "other" end.
I think racoon should have removed the old SA's. It is not practical
to manually reload IPsec everywhere (it is a cascading problem).
I'm apparently seeing the same problem manifested with tunnels to Cisco
routers. My guess is that the Cisco renegotiates new SA's before they
expire in the NetBSD kernel, so the NetBSD kernel ends up with two sets
of SA's, effectively stopping all traffic through the tunnel.
Also happens with a 2.99.11 kernel (with the same 2.99.10 userland).
--------
OLD SA's
--------
216.46.73.198 68.175.70.103
ah mode=transport spi=178068389(0x0a9d1ba5) reqid=0(0x00000000)
A: hmac-md5 082f630a 6e9f5b62 6b5d3d27 94e8d211
seq=0x00001be6 replay=4 flags=0x00000000 state=mature
created: Jan 9 10:40:29 2005 current: Jan 9 13:09:14 2005
diff: 8925(s) hard: 14400(s) soft: 11520(s)
last: Jan 9 12:20:16 2005 hard: 0(s) soft: 0(s)
current: 1124472(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7142 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=1
216.46.73.198 68.175.70.103
esp mode=transport spi=241881259(0x0e6ad0ab) reqid=0(0x00000000)
E: 3des-cbc 09de3d21 0183ad24 ea08abb1 4533fc3c 6499404b b4493e31
A: hmac-md5 f9fcebbc 0726fc9f 9e2dc4ec e499d760
seq=0x00001be6 replay=4 flags=0x00000000 state=mature
created: Jan 9 10:40:29 2005 current: Jan 9 13:09:14 2005
diff: 8925(s) hard: 14400(s) soft: 11520(s)
last: Jan 9 12:20:16 2005 hard: 0(s) soft: 0(s)
current: 893945(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7142 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=1
68.175.70.103 216.46.73.198
ah mode=transport spi=166557242(0x09ed763a) reqid=0(0x00000000)
A: hmac-md5 7d1698a2 e45cb8a8 91f88127 182ef0aa
seq=0x00001d30 replay=4 flags=0x00000000 state=mature
created: Jan 9 10:40:29 2005 current: Jan 9 13:09:14 2005
diff: 8925(s) hard: 14400(s) soft: 11520(s)
last: Jan 9 13:09:12 2005 hard: 0(s) soft: 0(s)
current: 1185472(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7472 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=2
68.175.70.103 216.46.73.198
esp mode=transport spi=39378598(0x0258dea6) reqid=0(0x00000000)
E: 3des-cbc f751eb4d 9a0c9cad f16cb108 1b909214 4ae07e8d 5ef41224
A: hmac-md5 3c69061b c462f29f 9a153fe5 1ccc6ac9
seq=0x00001d30 replay=4 flags=0x00000000 state=mature
created: Jan 9 10:40:29 2005 current: Jan 9 13:09:14 2005
diff: 8925(s) hard: 14400(s) soft: 11520(s)
last: Jan 9 13:09:12 2005 hard: 0(s) soft: 0(s)
current: 1006144(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 7472 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=2
--------
NEW SA's
--------
216.46.73.198 68.175.70.103
ah mode=transport spi=164807668(0x09d2c3f4) reqid=0(0x00000000)
A: hmac-md5 99623ed9 a8139393 c1b43e1a 4fbfd562
seq=0x0000021c replay=4 flags=0x00000000 state=mature
created: Jan 9 12:20:23 2005 current: Jan 9 13:09:14 2005
diff: 2931(s) hard: 14400(s) soft: 11520(s)
last: Jan 9 13:09:12 2005 hard: 0(s) soft: 0(s)
current: 56880(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 540 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=1
216.46.73.198 68.175.70.103
esp mode=transport spi=83804545(0x04fec181) reqid=0(0x00000000)
E: 3des-cbc 63f58d50 34d1277c b25ec3ba 63c55e36 61728a53 924b26db
A: hmac-md5 db99b810 89a4812d 248741c4 13185d70
seq=0x0000021c replay=4 flags=0x00000000 state=mature
created: Jan 9 12:20:23 2005 current: Jan 9 13:09:14 2005
diff: 2931(s) hard: 14400(s) soft: 11520(s)
last: Jan 9 13:09:12 2005 hard: 0(s) soft: 0(s)
current: 38123(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 540 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=1
68.175.70.103 216.46.73.198
ah mode=transport spi=71312903(0x04402607) reqid=0(0x00000000)
A: hmac-md5 fb3722bb f2318c47 a57b1b55 9c643312
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan 9 12:20:23 2005 current: Jan 9 13:09:14 2005
diff: 2931(s) hard: 14400(s) soft: 11520(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=1
68.175.70.103 216.46.73.198
esp mode=transport spi=65481914(0x03e72cba) reqid=0(0x00000000)
E: 3des-cbc b93584c6 0d7ab894 f9cf0a28 54241233 9477691e ae5cd11c
A: hmac-md5 a5719553 3819bce1 d910ef15 f8beb973
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jan 9 12:20:23 2005 current: Jan 9 13:09:14 2005
diff: 2931(s) hard: 14400(s) soft: 11520(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=0 refcnt=1
>How-To-Repeat:
Reload ipsec policies on one tunnel end.
>Fix: