DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th September 2011
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default Ipsec strange and annoying problem

I have IPsecs between few OpenBSD machines (release: 4.6, 4.8 $ 4.9). IPsec is working fine for a long time, but here and there (at once, or at twice per day), IPsec traffic just stop. This kind of problem last ussually 17-18 minutes. SAs are still there (or, at least, ipsecctl show that), but traffic cant pass from netA to netB.

I use isakmpd, /etc/ipsec.conf and x509 certificates. There is no nat, no rdr.
Until few months ago, everything worked fine on OBSD 4.5 & 4.6 (So, I think, there is no problem in ipsec.conf or x508).

Any idea?

ps

Yes, I know about SHA, so between same BSD releases I use:

ike esp from $netA to $netB \
local $ipHOSTA peer $ipHOSTB \
main auth hmac-sha2-512 enc aes-256 group modp1024 \
quick auth hmac-sha2-512 enc aes-256 group modp1024

but between pre-4.7 and after-4.7 I use sha1
Reply With Quote
  #2   (View Single Post)  
Old 6th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,666
Thanked 214 Times in 189 Posts
Default

I recall something very similar reported in misc@ several months ago. See if the thread that starts here, which includes a variety of symptoms and logged errors, match yours.

http://marc.info/?l=openbsd-misc&m=130433588108333&w=2

There are few IPSec users here among the small group of OpenBSD admins on this forum. I'm one, and I have no particular insights into this problem. If you don't get any other advice in the next day or two, consider posting to misc@, perhaps continuing that earlier thread.
Reply With Quote
  #3   (View Single Post)  
Old 23rd September 2011
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Yea there was a bug in isakmpd/dh.c which is fixed now.

http://www.mail-archive.com/bugs@ope.../msg01781.html
Reply With Quote
  #4   (View Single Post)  
Old 23rd September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,666
Thanked 214 Times in 189 Posts
Default

Thank you, denta!!

Looking at the CVS logs, I see the fix was committed to OpenBSD:
  • 15 June for -current (and is in the upcoming 5.0-release)
  • 8 July for 4.9-stable
  • 14 July for 4.8-stable
This was not considered sufficiently broad reaching or sufficiently serious to require an errata publication.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange lib problem mururoa FreeBSD General 3 1st August 2009 07:34 AM
Strange network problem mururoa FreeBSD General 15 5th November 2008 08:25 AM
Strange Eterm-problem PatrickBaer FreeBSD General 5 22nd July 2008 07:54 AM
NFS and FreeBSD 6.2r strange problem .. bsduser FreeBSD Installation and Upgrading 3 11th July 2008 11:48 AM
Multiple IPSEC Tunnel problem RMSZaphod FreeBSD Security 1 28th June 2008 10:08 AM


All times are GMT. The time now is 03:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick