One can't run ipsec with both esp + ah on 7.0-RELEASE with ipv6. Trying to will produce the kernel printf: kernel: ip6_output (ipsec): error code 22 and no output from the interface. The problem looks to be here, in ipsec_output.c, ipsec_process_done(): /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. * If this is a problem we'll need to introduce a queue * to set the packet on so we can unwind the stack before * doing further processing. */ if (isr->next) { ipsec4stat.ips_out_bundlesa++; return ipsec4_process_packet(m, isr->next, 0, 0); } So for the second SA we try to apply it with ipsec4_process_packet(), which fails when handed an ipv6 packet. By the way, things work fine with ipv4. How-To-Repeat: Set up an association between two ipv6 hosts that calls for esp+ah.
Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s).
Responsible Changed From-To: freebsd-net->bz Take this. Might take a few days before I can come up with a patch.
bz 2008-03-14 11:09:11 UTC FreeBSD src repository Modified files: sys/netinet6 ip6_output.c Log: Replace the function name in two identical printfs by __func__, __LINE__ so we can distinguish them when people report a problem. PR: 121373 MFC after: 5 days Revision Changes Path 1.115 +4 -2 src/sys/netinet6/ip6_output.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched This has been fixed in HEAD and RELENG_7 but is still awaiting MFC to RELENG_6
On Wed, 11 Jun 2008, gavin@FreeBSD.org wrote: > Synopsis: [ipsec] New IPSEC & IPV6 & AH+ESP Broken > > State-Changed-From-To: open->patched > State-Changed-By: gavin > State-Changed-When: Wed Jun 11 13:04:28 UTC 2008 > State-Changed-Why: > This has been fixed in HEAD and RELENG_7 but is still awaiting MFC > to RELENG_6 > > http://www.freebsd.org/cgi/query-pr.cgi?pr=121373 What makes you think that it was? I cannot remember I had found the time for IPSec work lately (unfortunately). Could you please change it back to open? -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.
State Changed From-To: patched->open Back to open, on bz@ request - I misread the PR, this was never patched
Responsible Changed From-To: bz->gnn I shall not use bugzilla (at least until we will have a CLI).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
This was fixed in 11.0+ releases. Now both IPv4 and IPv6 supports chains of ISRs.