frag issue with IPSEC in netbsd-4-0

To: <netbsd-users%netbsd.org@localhost>
Subject: frag issue with IPSEC in netbsd-4-0
From: Peter Eisch <peter%boku.net@localhost>
Date: Fri, 15 Aug 2008 15:48:46 -0500

I replaced a reasonably happy 3.1 i386 with 4.0 i386 using the same config,
same ipsec-tools and same kernel options:

    options     IPSEC
    options     IPSEC_ESPw/IPSEC)
    options     IPSEC_NAT_T
    options     IPSEC_DEBUG

We seem to be getting a fragmenting/reassembly hang on sessions.  Running
the command: 'ls -aslR /' on the remote system only gets to print:

    [admin@remote ~]$ ls -aslR /
    /:

And at this point it hangs.  Tcpdump on the public side of the local vpn
system shows:

15:32:22.412107 IP (tos 0x0, ttl  49, id 762, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:22.412112 IP (tos 0x0, ttl  49, id 763, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:22.412536 IP (tos 0x0, ttl  49, id 762, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x286c)
15:32:22.412679 IP (tos 0x0, ttl  49, id 763, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x286d)
15:32:22.422678 IP (tos 0x0, ttl  49, id 764, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:22.423248 IP (tos 0x0, ttl  49, id 764, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x286e)
15:32:22.423255 IP (tos 0x0, ttl  49, id 765, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:22.423534 IP (tos 0x0, ttl  49, id 765, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x286f)
15:32:22.682082 IP (tos 0x0, ttl  49, id 766, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:22.682366 IP (tos 0x0, ttl  49, id 766, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x2870)
15:32:23.200031 IP (tos 0x0, ttl  49, id 768, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:23.200459 IP (tos 0x0, ttl  49, id 768, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x2871)
15:32:24.235788 IP (tos 0x0, ttl  49, id 770, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:24.236216 IP (tos 0x0, ttl  49, id 770, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x2872)
15:32:26.307302 IP (tos 0x0, ttl  49, id 775, offset 1480, flags [none],
length: 72) remote > local: esp
15:32:26.307729 IP (tos 0x0, ttl  49, id 775, offset 0, flags [+], length:
1500) remote > local: ESP(spi=0x0db8c533,seq=0x2873)
15:32:30.451327 IP (tos 0x0, ttl  49, id 784, offset 1480, flags [none],
length: 72) remote > local: esp


This situation is true for all sites with sessions over ipsec.  Is there a
solution for this?  What other information would I need to include when
submitting a PR for this?

peter

Prev by Date: Re: Panic on NetBSD 4 STABLE, possibly wm related
Next by Date: Offline Manual Pages
Previous by Thread: SATA disk/controller problems
Next by Thread: Offline Manual Pages
Indexes:

Home | Main Index | Thread Index | Old Index