From asu@guinness.syncrontech.com Mon May 16 07:03:01 2005 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5C7C16A4EF for ; Mon, 16 May 2005 07:03:01 +0000 (GMT) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id F172C43DA8 for ; Mon, 16 May 2005 07:02:57 +0000 (GMT) (envelope-from asu@guinness.syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j4G72tGH041231 for ; Mon, 16 May 2005 10:02:56 +0300 (EEST) (envelope-from asu@guinness.syncrontech.com) Received: from guinness.syncrontech.com (localhost [127.0.0.1]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j4G72oph073301 for ; Mon, 16 May 2005 10:02:50 +0300 (EEST) (envelope-from asu@guinness.syncrontech.com) Received: (from asu@localhost) by guinness.syncrontech.com (8.12.11/8.12.11/Submit) id j4G72o2M073300; Mon, 16 May 2005 10:02:50 +0300 (EEST) (envelope-from asu) Message-Id: <200505160702.j4G72o2M073300@guinness.syncrontech.com> Date: Mon, 16 May 2005 10:02:50 +0300 (EEST) From: Ari Suutari Reply-To: Ari Suutari To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: IPsec connection stops working if associated network interface goes down and then up again. X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 81095 >Category: kern >Synopsis: IPsec connection stops working if associated network interface goes down and then up again. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-net >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon May 16 07:10:02 GMT 2005 >Closed-Date: >Last-Modified: Tue Jun 15 17:35:00 UTC 2010 >Originator: Ari Suutari >Release: FreeBSD 5.4-RELEASE i386 >Organization: >Environment: FreeBSD poison2.syncrontech.com 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri May 13 09:13:34 EEST 2005 root@poison2.syncrontech.com:/usr/src/sys/i386/compile/POISON i386 >Description: IPsec VPN tunnel stops working after associated network interface goes down and then back up again (which can happen with networks using tun device, for example). When the network interface goes down, IPsec stack updates it's cached route to use system default route. However, when the interface comes back again the cached route is not updated to use that interface again. >How-To-Repeat: Create a setup of 3 machines: A: "remote server" B: IPsec VPN server, use 5.4-RELEASE here C: "local workstation" Build a network between A and B which uses tun device (ppp or vtund). Set up racoon and ipsec policies so that traffic from C to A is transmitted via VPN tunnel. Start pinging A from C. Cause somekind of problems between A and B which causes the tun device to go down. Fix the temporary problem. Although the tun device goes now up, the vpn never recovers and ping doesn't work any more. >Fix: Somehow updated or invalidate sa_route field (updated at least in netinet6/ipsec.c now) when routing table changes. As a temporary workaround, I have modified ipsec.c so that it always calls rtalloc to ensure valid route. >Release-Note: >Audit-Trail: From: Gleb Smirnoff To: Ari Suutari Cc: FreeBSD-gnats-submit@FreeBSD.org, andre@FreeBSD.org Subject: Re: kern/81095: IPsec connection stops working if associated network interface goes down and then up again. Date: Mon, 23 May 2005 18:14:28 +0400 Ari, On Mon, May 16, 2005 at 10:02:50AM +0300, Ari Suutari wrote: A> >Number: 81095 A> >Category: kern A> >Synopsis: IPsec connection stops working if associated network interface goes down and then up again. [skip] A> >Fix: A> A> Somehow updated or invalidate sa_route field (updated at least A> in netinet6/ipsec.c now) when routing table changes. As a temporary A> workaround, I have modified ipsec.c so that it always calls A> rtalloc to ensure valid route. can you please polish your patch and submit it as follow-up to PR? There plans to remove route caching. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From: Ari Suutari To: Gleb Smirnoff Cc: FreeBSD-gnats-submit@FreeBSD.org, andre@FreeBSD.org Subject: Re: kern/81095: IPsec connection stops working if associated network interface goes down and then up again. Date: Tue, 24 May 2005 08:39:09 +0300 Hi, Gleb Smirnoff wrote: > can you please polish your patch and submit it as follow-up to PR? > There plans to remove route caching. Here it is. I would consider it only a workaround, since it just frees any cached route causing new lookup done every time. It covers only IPv4 case as I don't have IPv6 in my vpn box right now. I'm keeping my test environment in VmWare so I can easily test things if someone is going to work on this. *** ipsec.c.orig Tue May 24 08:31:09 2005 --- ipsec.c Tue May 24 08:31:47 2005 *************** *** 2713,2721 **** state->ro = &isr->sav->sah->sa_route; state->dst = (struct sockaddr *)&state->ro->ro_dst; dst4 = (struct sockaddr_in *)state->dst; ! if (state->ro->ro_rt ! && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0 ! || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) { RTFREE(state->ro->ro_rt); state->ro->ro_rt = NULL; } --- 2713,2719 ---- state->ro = &isr->sav->sah->sa_route; state->dst = (struct sockaddr *)&state->ro->ro_dst; dst4 = (struct sockaddr_in *)state->dst; ! if (state->ro->ro_rt) { RTFREE(state->ro->ro_rt); state->ro->ro_rt = NULL; } Ari S. Responsible-Changed-From-To: freebsd-bugs->gnn Responsible-Changed-By: gnn Responsible-Changed-When: Sun Nov 12 09:53:09 UTC 2006 Responsible-Changed-Why: Lookin at IPsec related bugs. http://www.freebsd.org/cgi/query-pr.cgi?pr=81095 Responsible-Changed-From-To: gnn->freebsd-net Responsible-Changed-By: gnn Responsible-Changed-When: Tue Jun 15 17:34:03 UTC 2010 Responsible-Changed-Why: This is probably not longer valid given the changes in our IPSec stack over the last 4 years. People are welcome to retest/resubmit. http://www.freebsd.org/cgi/query-pr.cgi?pr=81095 >Unformatted: