current-users: inbound transport-mode IPsec broken in current?

Subject: inbound transport-mode IPsec broken in current?
To: None <current-users@netbsd.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: current-users
Date: 09/09/2003 12:23:54
I just upgraded a machine's kernel to -current.  (But, the userland is
from august 9th.)

I use transport-mode IPsec for Coda (and finger) and racoon.  This all
worked mostly fine with a kernel from 8/9 and racoon (only trouble was
an apparent mbuf leak).  The other end is 1.6.1-stable.

With the new kernel (same SPD and racoon configs), racoon negotiates
SAs just fine.  I see packets on the wire going out, and replies
coming back, and the reply SPI looks fine (and matches an SA).

But, the data does not make it to the socket.

Counter values imply that somewhere in the SPD/SA lookup is broken for
incoming packets:

ipsec:
        0 inbound packets processed successfully
        0 inbound packets violated process security policy
        223 inbound packets with no SA available
        0 invalid inbound packets
        0 inbound packets failed due to insufficient memory
        0 inbound packets failed getting SPI
        0 inbound packets failed on AH replay check
        0 inbound packets failed on ESP replay check
        0 inbound packets considered authentic
        0 inbound packets failed on authentication
        213 outbound packets processed successfully
        0 outbound packets violated process security policy
        9 outbound packets with no SA available
        0 invalid outbound packets
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route
        ESP output histogram:
                rijndael-cbc: 213
        12564 SPD cache lookups
        635 SPD cache misses

The SA itself (minus the addresses) looks fine (yes, I know I'm
posting keys, used only to protect TCP SYNs that didn't result in
connections, and expired by the time I sent this....).

12:22:07.558743 w.x.y.z > a.b.c.d: ESP(spi=0x05d1ef1a,seq=0xb)


        esp mode=transport spi=97644314(0x05d1ef1a) reqid=0(0x00000000)
        E: rijndael-cbc  71abbead 44bdcef4 7f49da6d 247575b9
        A: hmac-sha1  653c3777 e73c7c9a ce4fd92a 088528bc 0d5aff92
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Sep  9 12:16:56 2003   current: Sep  9 12:21:10 2003
        diff: 254(s)    hard: 600(s)    soft: 480(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=1050 refcnt=1


-- 
        Greg Troxel <gdt@ir.bbn.com>