bin/41757: racoon in recent -current fails to establish tunnel

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/41757: racoon in recent -current fails to establish tunnel
From: blymn%internode.on.net@localhost
Date: Tue, 21 Jul 2009 08:15:00 +0000 (UTC)

>Number:         41757
>Category:       bin
>Synopsis:       recent racoon fails to correctly establish tunnel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 21 08:15:00 +0000 2009
>Originator:     blymn%internode.on.net@localhost
>Release:        NetBSD 5.99.15 cvs update 18/7/09
>Organization:
Brett Lymn
>Environment:
System: NetBSD siren 5.99.15 NetBSD 5.99.15 (SIREN.ACPI.MP) #12: Sun Jul 19 
19:44:40 UTC 2009 toor@siren:/usr/src/sys/arch/amd64/compile/SIREN.ACPI.MP amd64
Architecture: x86_64
Machine: amd64
>Description:
        I have a permanent vpn connection configured from a NetBSD machine
to a Checkpoint FW-1 firewall.  With a racoon binary circa june 2007 the
tunnel comes up fine and I can vpn without problems.  With the racoon from
netbsd-current circa 18/7/09 racoon just seems to keep negotiating phase 2
and not actually bring the tunnel up even though it says it succeeded:

Jul 19 19:50:53 siren racoon: INFO: IPsec-SA request for 10.10.10.10 queued due
 to no phase1 found. 
Jul 19 19:50:53 siren racoon: INFO: initiate new phase 1 negotiation: 192.168.3.
1[500]<=>10.10.10.10[500] 
Jul 19 19:50:53 siren racoon: INFO: begin Identity Protection mode. 
Jul 19 19:50:53 siren racoon: INFO: ISAKMP-SA established 
192.168.3.1[500]-10.10.10.10[500] spi:f2ad2cff4c5be202:bc55f175ec793b2d 
Jul 19 19:50:54 siren racoon: INFO: initiate new phase 2 negotiation: 192.168.3.
1[500]<=>10.10.10.10[500] 
Jul 19 19:50:54 siren racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.3.1
[500]->10.10.10.10[500] spi=139984226(0x857fd62) 
Jul 19 19:50:54 siren racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.3.1
[500]->10.10.10.10[500] spi=2727670883(0xa294f463) 
Jul 19 19:52:16 siren racoon: INFO: initiate new phase 2 negotiation: 192.168.3.
1[500]<=>10.10.10.10[500] 
Jul 19 19:52:16 siren racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.3.1
[500]->10.10.10.10[500] spi=204092163(0xc2a3303) 
Jul 19 19:52:16 siren racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.3.1
[500]->10.10.10.10[500] spi=1960358005(0x74d8b075) 

it seems like the negotiation happened for each packet.  Using setkey -D and
setkey -DP I could see valid SA's in the list and the SPD's looked correct
but no traffic went over the tunnel.

I was able to get the tunnel working again by recovering the /usr/sbin/racoon
binary from a backup taken prior to the upgrade of the machine. The machine
is still running netbsd-current, only the racoon binary has been replace with
one known to work for me.

>How-To-Repeat:
        Get racoon to negotiate a tunnel to a checkpoint fw-1 firewall.
>Fix:
        The problem can be worked around by using an old racoon binary.

Prev by Date: PR/41374 CVS commit: [netbsd-5] src/sys
Next by Date: Re: kern/41374 (getnewvnode deadlock)
Previous by Thread: PR/41374 CVS commit: [netbsd-5] src/sys
Next by Thread: Re: kern/41374 (getnewvnode deadlock)
Indexes:

Home | Main Index | Thread Index | Old Index