carp is not needed. IPSec + gre is enough to reproduce the issue.
Here is a setup that craches within a minute or two :
== Configurations ==
* 2 machines on the same lan:
north 192.168.1.1
south 192.168.1.2
* set ipsec=YES in /etc/rc.conf.local on both
* set net.inet.gre.allow=1 in /etc/sysctl.conf on both
north
/etc/ipsec.conf
------- cut --------
north=192.168.1.1
south=192.168.1.2
flow esp out from $north to $south
flow esp in from $south to $north
esp transport from $north to $south \
spi 0xf0000001 \
auth hmac-md5 \
enc des \
authkey 0x10000000000000000000000000000000 \
enckey 0x0000000000000000
esp transport from $south to $north \
spi 0xf0000002 \
auth hmac-md5 \
enc des \
authkey 0x20000000000000000000000000000000 \
enckey 0x0000000000000000
------- cut --------
/etc/hostname.gre0
------- cut --------
172.16.1.1 172.16.0.1 netmask 0xffffffff link0 up
tunnel 192.168.1.1 192.168.1.2
description "tunnel ipsec"
------- cut --------
south
/etc/ipsec.conf
------- cut --------
north=192.168.1.1
south=192.168.1.2
flow esp in from $north to $south
flow esp out from $south to $north
esp transport from $north to $south \
spi 0xf0000001 \
auth hmac-md5 \
enc des \
authkey 0x10000000000000000000000000000000 \
enckey 0x0000000000000000
esp transport from $south to $north \
spi 0xf0000002 \
auth hmac-md5 \
enc des \
authkey 0x20000000000000000000000000000000 \
enckey 0x0000000000000000
------- cut --------
/etc/hostname.gre0
------- cut --------
172.16.0.1 172.16.1.1 netmask 0xffffffff link0 up
tunnel 192.168.1.2 192.168.31.1
description "tunnel ipsec"
------- cut --------
== How to repeat the crash on south ==
on north run:
nc -k 3300 < /dev/null
on south run:
while true; do
date
cat /bsd | nc 172.16.1.1 3030
done
--
Matthieu Herrb
