Bug #1610
closed
v6 IPsec tunnels can trap 12 the kernel
Added by Seth Mos over 13 years ago.
Updated over 12 years ago.
Affected Version:
2.1-IPv6
Description
Configuring a IPsec tunnel with v6 endpoints and a v6 tunnel network is no issue in the ui. It all works as expected.
- v6 tunnel endpoints do not get automatic port 500 and 4500 firewall rules. Needs fixing.
- traffic passes without issue.
When opening the dashboard or the status IPsec page it reasonably reliably triggers a trap 12 in the kernel.
Most likely the one shot patch not keeping note of 128 bit addresses vs the 32 bit v4.
- Target version changed from 8 to 2.1
The one shot patch is not needed at all now.
You can just increase the sysctl sockmaxbuf to give the same results.
This affects the kernel in 2.0 which is currently also in use on 2.1
On the 2.1 IPv6 snaps dating September 1st I can not replicate this anymore, this may have been fixed somewhere by another patch in the last few months.
There is a side note to this.
I'm hitting something like a 1320 byte mtu limit on the IPsec tunnel and so far have not managed to troubleshoot this MTU issue that exists through the IPsec tunnel. Ping works fine and even mtr with a packet size of 1300 does not complain. Theoretically setting the MTU to 1280 on the webserver could fix it, which I have not tried yet.
I've added a blanket inet6 icmp allow rule but that didn't help. Needs to be tested for EPACKETTOOBIG responses in icmp6 messages.
- Status changed from New to Feedback
The trap 12 doesn't occur anymore, the MTU issue still exists.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by Ermal Luçi 
Updated by