kern/41075: options IPSEC+IPSEC_ESP broken

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/41075: options IPSEC+IPSEC_ESP broken
From: dyoung%ojctech.com@localhost
Date: Wed, 25 Mar 2009 22:15:01 +0000 (UTC)

>Number:         41075
>Category:       kern
>Synopsis:       options IPSEC+IPSEC_ESP broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 25 22:15:00 +0000 2009
>Originator:     David Young
>Release:        NetBSD 5.99.8
>Organization:
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933
>Environment:
System: NetBSD elmendorf.ojctech.com 5.99.8 NetBSD 5.99.8 (ojctech.com) #9: Mon 
Mar 23 13:54:32 CST 2009 
dyoung%cuw.ojctech.com@localhost:/u3/dyoung/pristine-nbsd/i386/O/sys/arch/i386/compile/ojctech.com
 i386
Architecture: i386
Machine: i386
>Description:
racoon pfkey accesses fail with 'Invalid argument':

2009-03-23 12:58:45: ERROR: pfkey UPDATE failed: Invalid argument
2009-03-23 12:58:45: ERROR: pfkey ADD failed: Invalid argument

>How-To-Repeat:
Compile your kernel with 'options IPSEC' and 'options IPSEC_ESP'.  Use
the following ipsec.conf and racoon.conf:

# ipsec.conf
spdadd timemachine.i.ojctech.com timemachine.i.ojctech.com[3260] tcp -P in none;
spdadd timemachine.i.ojctech.com[3260] timemachine.i.ojctech.com tcp -P out none
;
spdadd 0.0.0.0/0 timemachine.i.ojctech.com[3260] tcp -P in ipsec esp/transport//
require ;
spdadd timemachine.i.ojctech.com[3260] 0.0.0.0/0 tcp -P out ipsec esp/transport/
/require ;

# racoon.conf

path pre_shared_key "/etc/racoon/psk.txt" ;

timer
{
        phase1 60 seconds;
        phase2 60 seconds;
}

remote anonymous
{
        exchange_mode main, base;

        doi ipsec_doi;
        situation identity_only;
        lifetime time 24 hour ;
        generate_policy on ;
        passive on ;

        dpd_delay 2;

        nat_traversal off;

        my_identifier fqdn "timemachine.i.ojctech.com";

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }

        # the configuration could makes racoon (as a responder)
        # to obey the initiator's lifetime and PFS group proposal,
        # by setting proposal_check to obey.
        # this would makes testing "so much easier", but is really
        # *not* secure !!!
        proposal_check strict;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
        pfs_group 2;
        lifetime time 12 hour ;
        # tls%netbsd.org@localhost recommends this combination.
        encryption_algorithm blowfish 448;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}
>Fix:
I switched to 'options FAST_IPSEC'.  Then everything worked as expected.
Maybe 'options IPSEC' and 'options IPSEC_ESP' should be retired, and
FAST_IPSEC exclusively recommended?

Prev by Date: Re: bin/21630 (Wscons will lose input after X exits)
Next by Date: kern/41076: sigwaitinfo and sigtimedwait don't properly set siginfo
Previous by Thread: Re: bin/21630 (Wscons will lose input after X exits)
Next by Thread: Re: kern/41075: options IPSEC+IPSEC_ESP broken
Indexes:

Home | Main Index | Thread Index | Old Index