NetBSD Problem Report #41075

From dyoung@ojctech.com  Wed Mar 25 22:11:09 2009
Return-Path: <dyoung@ojctech.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id D1FAC63B8BA
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 25 Mar 2009 22:11:09 +0000 (UTC)
Message-Id: <20090325221108.DAE721BF5CC@elmendorf.ojctech.com>
Date: Wed, 25 Mar 2009 17:11:08 -0500 (CDT)
From: dyoung@ojctech.com
Reply-To: dyoung@ojctech.com
To: gnats-bugs@gnats.NetBSD.org
Subject: options IPSEC+IPSEC_ESP broken
X-Send-Pr-Version: 3.95

>Number:         41075
>Category:       kern
>Synopsis:       options IPSEC+IPSEC_ESP broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 25 22:15:00 +0000 2009
>Closed-Date:    Sat Feb 10 08:26:10 +0000 2018
>Last-Modified:  Sat Feb 10 08:26:10 +0000 2018
>Originator:     David Young
>Release:        NetBSD 5.99.8
>Organization:
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933
>Environment:
System: NetBSD elmendorf.ojctech.com 5.99.8 NetBSD 5.99.8 (ojctech.com) #9: Mon Mar 23 13:54:32 CST 2009 dyoung@cuw.ojctech.com:/u3/dyoung/pristine-nbsd/i386/O/sys/arch/i386/compile/ojctech.com i386
Architecture: i386
Machine: i386
>Description:
racoon pfkey accesses fail with 'Invalid argument':

2009-03-23 12:58:45: ERROR: pfkey UPDATE failed: Invalid argument
2009-03-23 12:58:45: ERROR: pfkey ADD failed: Invalid argument

>How-To-Repeat:
Compile your kernel with 'options IPSEC' and 'options IPSEC_ESP'.  Use
the following ipsec.conf and racoon.conf:

# ipsec.conf
spdadd timemachine.i.ojctech.com timemachine.i.ojctech.com[3260] tcp -P in none;
spdadd timemachine.i.ojctech.com[3260] timemachine.i.ojctech.com tcp -P out none
;
spdadd 0.0.0.0/0 timemachine.i.ojctech.com[3260] tcp -P in ipsec esp/transport//
require ;
spdadd timemachine.i.ojctech.com[3260] 0.0.0.0/0 tcp -P out ipsec esp/transport/
/require ;

# racoon.conf

path pre_shared_key "/etc/racoon/psk.txt" ;

timer
{
	phase1 60 seconds;
	phase2 60 seconds;
}

remote anonymous
{
	exchange_mode main, base;

	doi ipsec_doi;
	situation identity_only;
	lifetime time 24 hour ;
	generate_policy on ;
	passive on ;

	dpd_delay 2;

	nat_traversal off;

	my_identifier fqdn "timemachine.i.ojctech.com";

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}

	# the configuration could makes racoon (as a responder)
	# to obey the initiator's lifetime and PFS group proposal,
	# by setting proposal_check to obey.
	# this would makes testing "so much easier", but is really
	# *not* secure !!!
	proposal_check strict;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
	pfs_group 2;
	lifetime time 12 hour ;
	# tls@netbsd.org recommends this combination.
	encryption_algorithm blowfish 448;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate ;
}
>Fix:
I switched to 'options FAST_IPSEC'.  Then everything worked as expected.
Maybe 'options IPSEC' and 'options IPSEC_ESP' should be retired, and
FAST_IPSEC exclusively recommended?

>Release-Note:

>Audit-Trail:
From: Geoff Wing <gcw@pobox.com>
To: NetBSD GNATS <gnats-bugs@netbsd.org>
Cc: 
Subject: Re: kern/41075: options IPSEC+IPSEC_ESP broken
Date: Thu, 26 Mar 2009 10:51:52 +1100

 Hmm, seems to be a separate issue to kern/40969.

 :I switched to 'options FAST_IPSEC'.  Then everything worked as expected.
 :Maybe 'options IPSEC' and 'options IPSEC_ESP' should be retired, and
 :FAST_IPSEC exclusively recommended?

 FAST_IPSEC can't do all the same encryption algorithms that IPSEC/IPSEC_ESP
 can so it's not a drop-in replacement, e.g. AES-CTR 288 bit.

 Regards,
 Geoff

State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Sat, 10 Feb 2018 08:26:10 +0000
State-Changed-Why:
Option IPSEC_ESP was removed in 2013. I'm closing this PR. If there is
a separate issue, that you're still having, please re-submit a new PR
with more details.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.