Project

General

Profile

Actions

Bug #1610

closed

v6 IPsec tunnels can trap 12 the kernel

Added by Seth Mos over 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
06/18/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1-IPv6
Affected Architecture:

Description

Configuring a IPsec tunnel with v6 endpoints and a v6 tunnel network is no issue in the ui. It all works as expected.

- v6 tunnel endpoints do not get automatic port 500 and 4500 firewall rules. Needs fixing.
- traffic passes without issue.

When opening the dashboard or the status IPsec page it reasonably reliably triggers a trap 12 in the kernel.

Most likely the one shot patch not keeping note of 128 bit addresses vs the 32 bit v4.

Actions #1

Updated by Chris Buechler over 10 years ago

  • Target version changed from 8 to 2.1
Actions #2

Updated by Ermal Luçi over 10 years ago

The one shot patch is not needed at all now.
You can just increase the sysctl sockmaxbuf to give the same results.

Actions #3

Updated by Seth Mos over 10 years ago

This affects the kernel in 2.0 which is currently also in use on 2.1

Actions #4

Updated by Seth Mos about 10 years ago

On the 2.1 IPv6 snaps dating September 1st I can not replicate this anymore, this may have been fixed somewhere by another patch in the last few months.

There is a side note to this.

I'm hitting something like a 1320 byte mtu limit on the IPsec tunnel and so far have not managed to troubleshoot this MTU issue that exists through the IPsec tunnel. Ping works fine and even mtr with a packet size of 1300 does not complain. Theoretically setting the MTU to 1280 on the webserver could fix it, which I have not tried yet.

I've added a blanket inet6 icmp allow rule but that didn't help. Needs to be tested for EPACKETTOOBIG responses in icmp6 messages.

Actions #5

Updated by Seth Mos over 9 years ago

  • Status changed from New to Feedback

The trap 12 doesn't occur anymore, the MTU issue still exists.

Actions #6

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF