Re: panic/hangs if pfsync-traffic uses ipsec(4)

Thu, 01 Sep 2011 13:03:03 -0700 

Am 25.08.11 18:50, schrieb Stefan Rinkes:

Hi,

I'm currently trying to configure pfsync including ipsec, since
the machine we will have to configure just has two interfaces
(old sun netra x1) and the pfsync traffic has to be secured.

The configuration is:
(its a very basic config, cause I tried to reduce it to find the problem)

- /etc/hostname.enc0
up

- /etc/hostname.pfsync0
create
syncpeer 192.168.160.2 syncdev enc0
up

- /etc/ipsec.conf
ike esp from 192.168.160.1 to 192.168.160.2 \
        psk toortoor

ike esp from 192.168.160.2 to 192.168.160.1 \
        psk toortoor

- /etc/rc.conf.local
isakmpd_flags="-K -4"
ipsec=YES

- /etc/pf.conf
set skip on lo
set skip on enc0
set hostid 1

pass log        # to establish keep-state

- Kernel

OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
    [email protected]:/usr/src/sys/arch/i386/compile/GENERIC


The ipsec connection works fine, tcp/udp/icmp showed no problems.

But as soon pfsync-traffic shows up at the ipsec connection the systems
(both at the same time) hangs, crashes or panics.

I had to take pics, since I tested the setup in VirtualBox.

panic:
 http://sri-dev.de/uploads/obsd/panic-pfsync-esp.png

crash:
http://sri-dev.de/uploads/obsd/panic-pfsync-esp2.png

Any Ideas? Is it a known problem?

If you need more informations about the setup/config, feel
free to ask.

Thanks in advance and
greetz Stefan


Hi,

I read some code and was able to nail down the bug to following diff:

--- a/src/sys/netinet/ip_esp.c
+++ b/src/sys/netinet/ip_esp.c
@@ -920,7 +920,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t), 
                    sizeof(u_int32_t));
 #if NPFSYNC > 0
-               pfsync_update_tdb(tdb,1);
+               //pfsync_update_tdb(tdb,1);
 #endif
        }

A kernel with this "patch" does not panic anymore and all traffic is
working fine with the ipsec-connection.
Since I'm not an expert at ipsec or pfsync, can somebody please take a look at it? 
There were a giant commit for pfsync v5 about 2 years ago, also touching
pfsync_update_tdb().

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.c.diff?r1=1.102;r2=1.103

Greetz Stefan

Reply via email to