IPSEC broken (FAST_IPSEC works)?

From: Alexander Leidinger <Alexander_at_Leidinger.net> Date: Thu, 5 Aug 2004 22:30:27 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:04 UTC

Hi,

I've replaced a 4.10 server with a 5-current (Jul 18, without
PREEMPTION, with MSIZE=512) one. Both have the same IPSEC config
(kernel, setkey, racoon, gif). But the 5-current one isn't able to
transfer data over the VPN (no ping, no telnet to a port on a host on
the other side of the tunnel).

Racoon is able to negotiate a connection:
---snip---
# setkey -D
No SAD entries.

# ping host_behind_b:
[waiting long enough, but no output]
[ctrl-c]

# setkey -D        
a b 
        esp mode=tunnel spi=3635833369(0xd8b66a19) reqid=0(0x00000000)
        E: 3des-cbc  11d159c7 53846874 895eacfd 66074dc4 36350ac2 f09fe17a
        A: hmac-md5  bf041de9 225ebf60 dac19d00 23653b39
        seq=0x00000002 replay=4 flags=0x00000000 state=mature 
        created: Aug  5 22:10:27 2004   current: Aug  5 22:10:30 2004
        diff: 3(s)      hard: 300(s)    soft: 240(s)
        last: Aug  5 22:10:28 2004      hard: 0(s)      soft: 0(s)
        current: 272(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 2    hard: 0 soft: 0
        sadb_seq=1 pid=561 refcnt=2
b a 
        esp mode=tunnel spi=116056914(0x06eae352) reqid=0(0x00000000)
        E: 3des-cbc  053d94f1 edef8617 69d25dca e69ec7db ad3c9a1a 0838a24c
        A: hmac-md5  04d024d9 96b2c61e 6ecc79e4 f2393bc4
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Aug  5 22:10:27 2004   current: Aug  5 22:10:30 2004
        diff: 3(s)      hard: 300(s)    soft: 240(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=561 refcnt=1
---snip---

tcpdump while doing a "ping host_behind_b":
---snip---
21:43:53.966704 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:43:55.112454 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E]
21:43:55.120021 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:44:55.331956 IP b.500 > a.500: isakmp: phase 2/others ? inf[E]
21:47:14.475946 IP a > b: ESP(spi=0x754e1e4d,seq=0x1)
21:47:14.484644 IP b > a: ESP(spi=0x03a777cb,seq=0x1)
21:47:15.483319 IP a > b: ESP(spi=0x754e1e4d,seq=0x2)
21:47:15.489887 IP b > a: ESP(spi=0x03a777cb,seq=0x2)
21:47:16.493331 IP a > b: ESP(spi=0x754e1e4d,seq=0x3)
21:47:16.499916 IP b > a: ESP(spi=0x03a777cb,seq=0x3)
21:47:17.503348 IP a > b: ESP(spi=0x754e1e4d,seq=0x4)
21:47:17.514614 IP b > a: ESP(spi=0x03a777cb,seq=0x4)
21:47:18.513362 IP a > b: ESP(spi=0x754e1e4d,seq=0x5)
21:47:18.520057 IP b > a: ESP(spi=0x03a777cb,seq=0x5)
21:47:56.970054 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:47:58.115081 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E]
21:47:58.122636 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E]
21:49:00.330423 IP b.500 > a.500: isakmp: phase 2/others ? inf[E]
21:53:00.318424 IP b.500 > a.500: isakmp: phase 2/others ? inf[E]
---snip---

tcpdump on the gif interface shows nothing.

"netstat -s -p ipsec" reports:
---snip---
ipsec:
        106 inbound packets processed successfully
        0 inbound packets violated process security policy
        0 inbound packets with no SA available
        0 invalid inbound packets
        0 inbound packets failed due to insufficient memory
        0 inbound packets failed getting SPI
        0 inbound packets failed on AH replay check
        0 inbound packets failed on ESP replay check
        0 inbound packets considered authentic
        0 inbound packets failed on authentication
        ESP input histogram:
                3des-cbc: 106
        102 outbound packets processed successfully
        0 outbound packets violated process security policy
        5 outbound packets with no SA available
        0 invalid outbound packets
        0 outbound packets failed due to insufficient memory
        0 outbound packets with no route
        ESP output histogram:
                3des-cbc: 102
        7526 SPD cache lookups
        3235 SPD cache misses
---snip---

A kernel with FAST_IPSEC instead of IPSEC works as expected (ping
reports the round trip time, tcpdump shows traffic on the gif interface
and a quick test with telnet to a port on host_behind_b shows the
expected output).

The system is supposed to go into production soon, so I can't guarantee
I can do "expensive" tests if someone comes up with a patch or needs
some data which is only available if IPSEC instead of FAST_IPSEC is
used.

Bye,
Alexander.

-- 
           I'm available to get hired (preferred in .lu).

http://www.Leidinger.net                       Alexander _at_ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7