Re: isakmpd quits out after running ipsec on CURRENT
On 12/03/2014 07:39 PM, Christian Weisgerber wrote: On 2014-12-03, Josh Grosse j...@jggimi.homeip.net wrote: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. Exactly, that change _fixes_ it. In recent snapshots, memcpy() checks for overlap and aborts. For some background, see http://www.tedunangst.com/flak/post/memcpy-vs-memmove When you mention the change **fixes** the bug, is there something in addition that needs to be done in order to get isakmpd and ipsec working together? I am seeing this in the logs: Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy Dec 4 09:35:33 sys_name isakmpd: backwards memcpy which is what was stated earlier. Or does the **fix** exaggerate another bug in the code? Regards, Kaya
Re: isakmpd quits out after running ipsec on CURRENT
On 2014-12-04, Kaya Saman kayasa...@gmail.com wrote: I am seeing this in the logs: Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy Dec 4 09:35:33 sys_name isakmpd: backwards memcpy So your isakmpd is broken. Wait for the next snapshot or build one from -current sources yourself. -- Christian naddy Weisgerber na...@mips.inka.de
Re: isakmpd quits out after running ipsec on CURRENT
On Thu, Dec 04, 2014 at 12:29, Kaya Saman wrote: On 12/03/2014 07:39 PM, Christian Weisgerber wrote: On 2014-12-03, Josh Grosse j...@jggimi.homeip.net wrote: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. Exactly, that change _fixes_ it. In recent snapshots, memcpy() checks for overlap and aborts. For some background, see http://www.tedunangst.com/flak/post/memcpy-vs-memmove When you mention the change **fixes** the bug, is there something in addition that needs to be done in order to get isakmpd and ipsec working together? I am seeing this in the logs: Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy Dec 4 09:35:33 sys_name isakmpd: backwards memcpy which is what was stated earlier. Or does the **fix** exaggerate another bug in the code? There was *one* fix to isakmpd for *one* bug. There may be more than one bug. There's certainly a lot more than one memcpy in it.
Re: isakmpd quits out after running ipsec on CURRENT
On 12/04/2014 04:28 PM, Ted Unangst wrote: On Thu, Dec 04, 2014 at 12:29, Kaya Saman wrote: On 12/03/2014 07:39 PM, Christian Weisgerber wrote: On 2014-12-03, Josh Grosse j...@jggimi.homeip.net wrote: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. Exactly, that change _fixes_ it. In recent snapshots, memcpy() checks for overlap and aborts. For some background, see http://www.tedunangst.com/flak/post/memcpy-vs-memmove When you mention the change **fixes** the bug, is there something in addition that needs to be done in order to get isakmpd and ipsec working together? I am seeing this in the logs: Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy Dec 4 09:35:33 sys_name isakmpd: backwards memcpy which is what was stated earlier. Or does the **fix** exaggerate another bug in the code? There was *one* fix to isakmpd for *one* bug. There may be more than one bug. There's certainly a lot more than one memcpy in it. Thanks everyone for the responses sorry for the cross-wires in understanding the situation at present. Will wait for a fix :-) Regards, Kaya
Re: isakmpd quits out after running ipsec on CURRENT
On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote: Hi, for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf Starting isakmpd manually with flags -Kdv doesn't give any indication as to what might be causing the service to crash or segfault and nothing is reported in the logs - I checked both daemon and messages. ipsec.conf consists of standard config: ike passive esp transport \ proto udp from 212.159.80.17 to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Sclr11XP99 ike passive esp transport \ proto udp from IP to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Some_crazy_pass Basically the setup used to work fine a few upgrades ago while I was on 5.5 but then something seems to have changed and it stopped. Along with the above I'm running npppd for ipsec/l2tp so I can run the native Android VPN client. I do run OpenVPN in addition but their seems to be some issue with routing on some apps so to get round that the choice is either: add default route manually when using OpenVPN / or use native client. I managed to find this thread from the list: http://comments.gmane.org/gmane.os.openbsd.misc/209636 and managed to pretty much validate my config in comparison but for some reason I cannot work this one out. System is up to date as per last night and build is: 5.6 GENERIC.MP#633 amd64 5.6 GENERIC.MP#633 amd64 Would anyone be able to suggest anything? Thanks. Kaya I am seeing the same behaviour (apparently a clean exit, no message whatsoever nor core file) on -current, with an ipsec.conf as simple as this: ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \ peer vpn.foo.bar \ srcid peer1.foo.bar dstid vpn.foo.bar I have upgraded -current several times since I last used IPSec, so I can't tell for sure when it started... OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec 1 10:11:11 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8357658624 (7970MB) avail mem = 8131330048 (7754MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries) bios0: vendor LENOVO version 6QET70WW (1.40 ) date 10/11/2012 bios0: LENOVO 3680WE9 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 5 (application processor) cpu3: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 2, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 2, remapped to apid 1 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 13 (EXP1) acpiprt3 at acpi0: bus -1
Re: isakmpd quits out after running ipsec on CURRENT
I run this kernel from beginning of November: OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX on my soekris box. Isakmpd is just started with: -4 -K my ipsec.conf looks similar to this one (only IP addresses changed): localip=1.1.1.1 peerip=2.2.2.2 ike esp from 3.3.3.0/24 to 4.4.0.0/16 \ local $localip peer $peerip \ main auth hmac-sha1 enc aes-128 group modp1024 \ quick auth hmac-sha1 enc aes-128 group modp1024 \ psk top secret and it just works. does a higher debug level i.e. -D A=90 show something, or logging the packets isakmpd sees with -L give more hints? cheers, Sebastian On Wednesday, December 3, 2014 15:53 CET, Zé Loff zel...@zeloff.org wrote: On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote: Hi, for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf Starting isakmpd manually with flags -Kdv doesn't give any indication as to what might be causing the service to crash or segfault and nothing is reported in the logs - I checked both daemon and messages. ipsec.conf consists of standard config: ike passive esp transport \ proto udp from 212.159.80.17 to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Sclr11XP99 ike passive esp transport \ proto udp from IP to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Some_crazy_pass Basically the setup used to work fine a few upgrades ago while I was on 5.5 but then something seems to have changed and it stopped. Along with the above I'm running npppd for ipsec/l2tp so I can run the native Android VPN client. I do run OpenVPN in addition but their seems to be some issue with routing on some apps so to get round that the choice is either: add default route manually when using OpenVPN / or use native client. I managed to find this thread from the list: http://comments.gmane.org/gmane.os.openbsd.misc/209636 and managed to pretty much validate my config in comparison but for some reason I cannot work this one out. System is up to date as per last night and build is: 5.6 GENERIC.MP#633 amd64 5.6 GENERIC.MP#633 amd64 Would anyone be able to suggest anything? Thanks. Kaya I am seeing the same behaviour (apparently a clean exit, no message whatsoever nor core file) on -current, with an ipsec.conf as simple as this: ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \ peer vpn.foo.bar \ srcid peer1.foo.bar dstid vpn.foo.bar I have upgraded -current several times since I last used IPSec, so I can't tell for sure when it started... OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec 1 10:11:11 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8357658624 (7970MB) avail mem = 8131330048 (7754MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries) bios0: vendor LENOVO version 6QET70WW (1.40 ) date 10/11/2012 bios0: LENOVO 3680WE9 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz cpu2:
Re: isakmpd quits out after running ipsec on CURRENT
On Wed, Dec 03, 2014 at 04:09:02PM +0100, Sebastian Reitenbach wrote: I run this kernel from beginning of November: OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX on my soekris box. Isakmpd is just started with: -4 -K my ipsec.conf looks similar to this one (only IP addresses changed): localip=1.1.1.1 peerip=2.2.2.2 ike esp from 3.3.3.0/24 to 4.4.0.0/16 \ local $localip peer $peerip \ main auth hmac-sha1 enc aes-128 group modp1024 \ quick auth hmac-sha1 enc aes-128 group modp1024 \ psk top secret and it just works. does a higher debug level i.e. -D A=90 show something, or logging the packets isakmpd sees with -L give more hints? No packets are transferred, AFAICT. Running isakmpd -Kdv -D A=90 yields a single line after ipsecctl is run: uiconfig: C set [General]:Check-interval=30 force isakmpd then quits with exit code 0. cheers, Sebastian On Wednesday, December 3, 2014 15:53 CET, Zé Loff zel...@zeloff.org wrote: On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote: Hi, for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf Starting isakmpd manually with flags -Kdv doesn't give any indication as to what might be causing the service to crash or segfault and nothing is reported in the logs - I checked both daemon and messages. ipsec.conf consists of standard config: ike passive esp transport \ proto udp from 212.159.80.17 to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Sclr11XP99 ike passive esp transport \ proto udp from IP to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Some_crazy_pass Basically the setup used to work fine a few upgrades ago while I was on 5.5 but then something seems to have changed and it stopped. Along with the above I'm running npppd for ipsec/l2tp so I can run the native Android VPN client. I do run OpenVPN in addition but their seems to be some issue with routing on some apps so to get round that the choice is either: add default route manually when using OpenVPN / or use native client. I managed to find this thread from the list: http://comments.gmane.org/gmane.os.openbsd.misc/209636 and managed to pretty much validate my config in comparison but for some reason I cannot work this one out. System is up to date as per last night and build is: 5.6 GENERIC.MP#633 amd64 5.6 GENERIC.MP#633 amd64 Would anyone be able to suggest anything? Thanks. Kaya I am seeing the same behaviour (apparently a clean exit, no message whatsoever nor core file) on -current, with an ipsec.conf as simple as this: ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \ peer vpn.foo.bar \ srcid peer1.foo.bar dstid vpn.foo.bar I have upgraded -current several times since I last used IPSec, so I can't tell for sure when it started... OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec 1 10:11:11 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8357658624 (7970MB) avail mem = 8131330048 (7754MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries) bios0: vendor LENOVO version 6QET70WW (1.40 ) date 10/11/2012 bios0: LENOVO 3680WE9 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.01 MHz cpu1:
Re: isakmpd quits out after running ipsec on CURRENT
On Wed, Dec 03, 2014 at 03:24:06PM +, Zé Loff wrote: On Wed, Dec 03, 2014 at 04:09:02PM +0100, Sebastian Reitenbach wrote: I run this kernel from beginning of November: OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX on my soekris box. Isakmpd is just started with: -4 -K my ipsec.conf looks similar to this one (only IP addresses changed): localip=1.1.1.1 peerip=2.2.2.2 ike esp from 3.3.3.0/24 to 4.4.0.0/16 \ local $localip peer $peerip \ main auth hmac-sha1 enc aes-128 group modp1024 \ quick auth hmac-sha1 enc aes-128 group modp1024 \ psk top secret and it just works. does a higher debug level i.e. -D A=90 show something, or logging the packets isakmpd sees with -L give more hints? No packets are transferred, AFAICT. Running isakmpd -Kdv -D A=90 yields a single line after ipsecctl is run: uiconfig: C set [General]:Check-interval=30 force isakmpd then quits with exit code 0. Actually, A=99 yields an extra line: Misc 95 conf_set_now: [General]:Check-interval-30 cheers, Sebastian On Wednesday, December 3, 2014 15:53 CET, Zé Loff zel...@zeloff.org wrote: On Wed, Dec 03, 2014 at 02:00:59PM +, Kaya Saman wrote: Hi, for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf Starting isakmpd manually with flags -Kdv doesn't give any indication as to what might be causing the service to crash or segfault and nothing is reported in the logs - I checked both daemon and messages. ipsec.conf consists of standard config: ike passive esp transport \ proto udp from 212.159.80.17 to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Sclr11XP99 ike passive esp transport \ proto udp from IP to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk Some_crazy_pass Basically the setup used to work fine a few upgrades ago while I was on 5.5 but then something seems to have changed and it stopped. Along with the above I'm running npppd for ipsec/l2tp so I can run the native Android VPN client. I do run OpenVPN in addition but their seems to be some issue with routing on some apps so to get round that the choice is either: add default route manually when using OpenVPN / or use native client. I managed to find this thread from the list: http://comments.gmane.org/gmane.os.openbsd.misc/209636 and managed to pretty much validate my config in comparison but for some reason I cannot work this one out. System is up to date as per last night and build is: 5.6 GENERIC.MP#633 amd64 5.6 GENERIC.MP#633 amd64 Would anyone be able to suggest anything? Thanks. Kaya I am seeing the same behaviour (apparently a clean exit, no message whatsoever nor core file) on -current, with an ipsec.conf as simple as this: ike dynamic esp from 10.17.19.3 (egress) to 10.17.16.0/22 \ peer vpn.foo.bar \ srcid peer1.foo.bar dstid vpn.foo.bar I have upgraded -current several times since I last used IPSec, so I can't tell for sure when it started... OpenBSD 5.6-current (GENERIC.MP) #634: Mon Dec 1 10:11:11 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8357658624 (7970MB) avail mem = 8131330048 (7754MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries) bios0: vendor LENOVO version 6QET70WW (1.40 ) date 10/11/2012 bios0: LENOVO 3680WE9 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! BOOT SSDT TCPA DMAR SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2660.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,AES,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB
Re: isakmpd quits out after running ipsec on CURRENT
On 2014-12-03, Zé Loff zel...@zeloff.org wrote: for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf I am seeing the same behaviour (apparently a clean exit, no message whatsoever nor core file) on -current, with an ipsec.conf as simple as this: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. -- Christian naddy Weisgerber na...@mips.inka.de
Re: isakmpd quits out after running ipsec on CURRENT
On 2014-12-03 12:47, Christian Weisgerber wrote: On 2014-12-03, Zé Loff zel...@zeloff.org wrote: for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf I am seeing the same behaviour (apparently a clean exit, no message whatsoever nor core file) on -current, with an ipsec.conf as simple as this: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. I had planned to spend a few hours this next weekend trying to isolate the regression, and to date have not done any more than reproduce the problem with older kernels.
Re: isakmpd quits out after running ipsec on CURRENT
On 2014-12-03 13:59, Josh Grosse wrote: On 2014-12-03 12:47, Christian Weisgerber wrote: ... This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. I had planned to spend a few hours this next weekend trying to isolate the regression, and to date have not done any more than reproduce the problem with older kernels. Ack. Never mind. This could be the *fix*. Sorry for the noise. My apologies. I seem to have way too much blood in my caffeine system.
Re: isakmpd quits out after running ipsec on CURRENT
On 2014-12-03, Josh Grosse j...@jggimi.homeip.net wrote: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for isakmpd: backwards memcpy. It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. Exactly, that change _fixes_ it. In recent snapshots, memcpy() checks for overlap and aborts. For some background, see http://www.tedunangst.com/flak/post/memcpy-vs-memmove -- Christian naddy Weisgerber na...@mips.inka.de