IPSEC/FAST_IPSEC panic.

Gary Allan dragonfly at gallan.plus.com
Mon Apr 24 09:57:30 PDT 2006 

Matthew Dillon wrote:
    Could you explain the TCP timeout issue more?  Does TCP work initially
    and then fail at some point after the connection has been working for
    a whlie ?  I need to be able to duplicate the problem to track it down.
    It might also help to use tcpdump to observe the packet traffic at the
    point where the connection starts to fail and times out.
    tcpdump -s 4096 -vvv -i em0 -n -l port <port_you_are_testing_tcp_on>

						-Matt
I was able to setup another DragonFly box and configure IPSEC between 
two DragonFly machines. FTP, DNS and PING (8000 bytes) worked between 
the PCs but ssh did not (Same timeout errors). I have enabled 
IPSEC_DEBUG but there is no diagnostic output. All PCs are built without 
IPv6 support. (I'll test again with it enabled.)

Server:
192.168.20.4
DragonFly fire.local 1.5.3-DEVELOPMENT DragonFly 1.5.3-DEVELOPMENT #0: 
Sun Apr 23 18:27:00 BST 2006 
gary at xxxxxxxxxx:/usr/obj/usr/src/sys/BUILD-IPSEC  i386

fire ~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     vsftpd     642   3  tcp4   *:21                  *:*
root     sendmail   592   4  tcp4   127.0.0.1:25          *:*
root     sshd       583   3  tcp4   *:22                  *:*
bind     named      307   20 udp4   192.168.20.4:53       *:*
bind     named      307   21 tcp4   192.168.20.4:53       *:*
bind     named      307   22 udp4   127.0.0.1:53          *:*
bind     named      307   23 tcp4   127.0.0.1:53          *:*
bind     named      307   24 udp4   *:1024                *:*
bind     named      307   25 tcp4   127.0.0.1:953         *:*
Client:
192.168.20.6
FreeBSD lappy.local 6.0-RELEASE-p6 FreeBSD 6.0-RELEASE-p6 #1: Wed Apr 19 
15:55:17 UTC 2006     root at xxxxxxxxxxx:/usr/obj/usr/src/sys/BUILD  i386

When using FreeBSD 4.11 or 6.0 as a client UDP and ICMP connections work 
but TCP connections to vsftpd and ssh time out. The ssh connections are 
partially successful as the server displays the message.

Apr 25 17:48:59 fire sshd[708]: fatal: Timeout before authentication for 
192.168.20.6

Thanks

Gary
17:25:56.132650 IP (tos 0x0, ttl  64, id 153, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x17): ESP(spi=0x00005fb5,seq=0x17)
17:25:59.131242 IP (tos 0x0, ttl  64, id 154, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x18): ESP(spi=0x00005fb5,seq=0x18)
17:25:59.131491 IP (tos 0x0, ttl  64, id 178, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x13): ESP(spi=0x00003d55,seq=0x13)
17:26:02.330203 IP (tos 0x0, ttl  64, id 155, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x19): ESP(spi=0x00005fb5,seq=0x19)
17:26:02.330422 IP (tos 0x0, ttl  64, id 179, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x14): ESP(spi=0x00003d55,seq=0x14)
17:26:05.529001 IP (tos 0x0, ttl  64, id 156, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1a): ESP(spi=0x00005fb5,seq=0x1a)
17:26:05.529217 IP (tos 0x0, ttl  64, id 180, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x15): ESP(spi=0x00003d55,seq=0x15)
17:26:08.727881 IP (tos 0x0, ttl  64, id 157, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1b): ESP(spi=0x00005fb5,seq=0x1b)
17:26:11.927255 IP (tos 0x0, ttl  64, id 158, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1c): ESP(spi=0x00005fb5,seq=0x1c)
17:26:18.126097 IP (tos 0x0, ttl  64, id 159, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1d): ESP(spi=0x00005fb5,seq=0x1d)
17:26:30.321695 IP (tos 0x0, ttl  64, id 160, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1e): ESP(spi=0x00005fb5,seq=0x1e)
17:26:30.321926 IP (tos 0x0, ttl  64, id 181, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x16): ESP(spi=0x00003d55,seq=0x16)
17:26:54.513533 IP (tos 0x0, ttl  64, id 161, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x1f): ESP(spi=0x00005fb5,seq=0x1f)
17:26:54.513776 IP (tos 0x0, ttl  64, id 182, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x17): ESP(spi=0x00003d55,seq=0x17)

17:23:56.284365 IP (tos 0x0, ttl  64, id 122, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x8): ESP(spi=0x00005fb5,seq=0x8)
17:23:56.284599 IP (tos 0x0, ttl  64, id 160, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x5): ESP(spi=0x00003d55,seq=0x5)
17:23:59.283225 IP (tos 0x0, ttl  64, id 123, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0x9): ESP(spi=0x00005fb5,seq=0x9)
17:24:02.482010 IP (tos 0x0, ttl  64, id 124, offset 0, flags [DF], length: 108) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xa): ESP(spi=0x00005fb5,seq=0xa)
17:24:05.680898 IP (tos 0x0, ttl  64, id 125, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xb): ESP(spi=0x00005fb5,seq=0xb)
17:24:05.681163 IP (tos 0x0, ttl  64, id 163, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x6): ESP(spi=0x00003d55,seq=0x6)
17:24:08.879729 IP (tos 0x0, ttl  64, id 126, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xc): ESP(spi=0x00005fb5,seq=0xc)
17:24:12.078713 IP (tos 0x0, ttl  64, id 127, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xd): ESP(spi=0x00005fb5,seq=0xd)
17:24:12.078953 IP (tos 0x0, ttl  64, id 164, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x7): ESP(spi=0x00003d55,seq=0x7)
17:24:18.276958 IP (tos 0x0, ttl  64, id 128, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xe): ESP(spi=0x00005fb5,seq=0xe)
17:24:18.277184 IP (tos 0x0, ttl  64, id 165, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x8): ESP(spi=0x00003d55,seq=0x8)
17:24:30.473180 IP (tos 0x0, ttl  64, id 129, offset 0, flags [DF], length: 92) 192.168.20.6 > fire: AH(spi=0x00005fb4,sumlen=16,seq=0xf): ESP(spi=0x00005fb5,seq=0xf)
17:24:30.473419 IP (tos 0x0, ttl  64, id 166, offset 0, flags [none], length: 84) fire > 192.168.20.6: AH(spi=0x00003d54,sumlen=16,seq=0x9): ESP(spi=0x00003d55,seq=0x9)

flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E 3des-cbc "123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E 3des-cbc "123456789012345678901234";

spdadd 192.168.20.4 192.168.20.6 any -P out ipsec 
	esp/transport//require
	ah/transport//require;

flush;
spdflush;

add 192.168.20.4 192.168.20.6 ah 15700 -A hmac-md5 "1234567890123456";
add 192.168.20.6 192.168.20.4 ah 24500 -A hmac-md5 "1234567890123456";

add 192.168.20.4 192.168.20.6 esp 15701 -E 3des-cbc "123456789012345678901234";
add 192.168.20.6 192.168.20.4 esp 24501 -E 3des-cbc "123456789012345678901234";

spdadd 192.168.20.6 192.168.20.4 any -P out ipsec 
	esp/transport//require
	ah/transport//require;

More information about the Bugs mailing list