netbsd-bugs: Re: bin/30437

Subject: Re: bin/30437
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: S.P.Zeidler <spz@serpens.de>
List: netbsd-bugs
Date: 08/17/2005 11:57:02
The following reply was made to PR bin/30437; it has been noted by GNATS.

From: "S.P.Zeidler" <spz@serpens.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/30437
Date: Wed, 17 Aug 2005 13:56:40 +0200

 Hi,
 
 FWIW, building a -current (as of Aug 16th) system without IPSEC_NAT_T,
 and the racoon with ENABLE_NATT disabled (defined -> undef in
 /home/netbsd/src/lib/libipsec/config.h) will work. Also, the netbsd-3
 racoon (with ENABLE_NATT) will work.
 
 With 'me' being 10.10.5.5 and the other side being 10.10.5.1,
 same kernel but racoon with ENABLE_NATT defined will fail to get the
 10.10.5.1 10.10.5.5 pfkey out of larval stage (10.10.5.5 10.10.5.1 works).
 
 debug output from the racoon:
 2005-08-17 11:33:52: DEBUG: KEYMAT computed.
 2005-08-17 11:33:52: DEBUG: call pk_sendupdate
 2005-08-17 11:33:52: DEBUG: encryption(aes)
 2005-08-17 11:33:52: DEBUG: hmac(hmac_sha1)
 2005-08-17 11:33:52: DEBUG: call pfkey_send_update_nat
 2005-08-17 11:33:52: DEBUG: pfkey update sent.
 2005-08-17 11:33:52: DEBUG: encryption(aes)
 2005-08-17 11:33:52: DEBUG: hmac(hmac_sha1)
 2005-08-17 11:33:52: DEBUG: call pfkey_send_add_nat
 2005-08-17 11:33:52: DEBUG: pfkey add sent.
 2005-08-17 11:33:52: DEBUG: get pfkey UPDATE message
 2005-08-17 11:33:52: ERROR: pfkey UPDATE failed: No such file or directory
 2005-08-17 11:33:52: DEBUG: get pfkey ADD message
 2005-08-17 11:33:52: INFO: IPsec-SA established: ESP/Tunnel 10.10.5.5[0]->10.10.5.1[0] spi=216295649(0xce468e1)
 2005-08-17 11:33:52: DEBUG: ===
 2005-08-17 11:34:21: ERROR: 10.10.5.1 give up to get IPsec-SA due to time up to wait.
 
 In contrast the 3.0 racoon that also has ENABLE_NATT:
 2005-08-17 12:00:58: DEBUG: KEYMAT computed.
 2005-08-17 12:00:58: DEBUG: call pk_sendupdate
 2005-08-17 12:00:58: DEBUG: encryption(aes)
 2005-08-17 12:00:58: DEBUG: hmac(hmac_sha1)
 2005-08-17 12:00:58: DEBUG: call pfkey_send_update_nat
 2005-08-17 12:00:58: DEBUG: pfkey update sent.
 2005-08-17 12:00:58: DEBUG: encryption(aes)
 2005-08-17 12:00:58: DEBUG: hmac(hmac_sha1)
 2005-08-17 12:00:58: DEBUG: call pfkey_send_add_nat
 2005-08-17 12:00:58: DEBUG: pfkey add sent.
 2005-08-17 12:00:58: DEBUG: get pfkey UPDATE message
 2005-08-17 12:00:58: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 10.10.5.1->10.10.5.5 spi=90695872(0x567e8c0)
 2005-08-17 12:00:58: INFO: IPsec-SA established: ESP/Tunnel 10.10.5.1->10.10.5.5 spi=90695872(0x567e8c0)
 2005-08-17 12:00:58: DEBUG: ===
 2005-08-17 12:00:58: DEBUG: get pfkey ADD message
 2005-08-17 12:00:58: INFO: IPsec-SA established: ESP/Tunnel 10.10.5.5->10.10.5.1 spi=189572901(0xb4ca725)
 2005-08-17 12:00:58: DEBUG: ===
 
 I first tried rolling back isakmp.c, isakmp_inf.c, isakmp_quick.c and 
 libipsec/pfkey.c, but it's not them (at least not them alone).
 
 HTH,
 	spz
 -- 
 spz@serpens.de (S.P.Zeidler)