https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774
Bug ID: 192774
Summary: PF_KEY ACQUIRE missing port and protocol info
Product: Base System
Version: 10.0-STABLE
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Created attachment 145951
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=145951&action=edit
patch for problem.
Consider an IPSEC policy such as:
spdadd 0.0.0.0/0 XXX.XXX.XXX.XXX/32[1701] udp -P out ipsec
esp/transport//require;
spdadd XXX.XXX.XXX.XXX/32[1701] 0.0.0.0/0 udp -P in ipsec
esp/transport//require;
When triggered it sends a PF_KEY ACQUIRE message that causes ISAKMP
negotiations to occur with the remote. Unfortunately the key_acquire
routine in sys/netipsec/key.c doesn't contain any code to propagate
the port / protocol information as part of the ACQUIRE message ... as
a result racoon sees an ACQUIRE message for all traffic to the remote
system and supplies that as the proposal which fails since the remote
system is only willing to protect L2TP with IPSEC ... not all traffic.
Note that RFC 2367 3.1.6 SADB_ACQUIRE says:
The address(SD) extensions MUST have the port fields
filled in with the port numbers of the session requiring
keys if appropriate.
With the supplied patch I'm able to successfully establish a L2TP protected
by IPSEC connection from FreeBSD 10-stable to a Cisco 3845 router.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
