Racoon and setkey problems
Misak Khachatryan
kmisak at gmail.com
Thu Feb 22 07:10:56 UTC 2018
Hello there,
just a quick feedback. I've added rules to my ipfw to block all isakmp
ports on interfaces not involved in ipsec and rebooted 3 of 4
machines. Situation returned to normal on them, but rebooting fourth
host is very painful. It seems i have some kind of massive ipsec
probes from botnet which fills all my SAD and SPD entries or PFKEY
sockets.
All i need is to flush all SAD and SDP entries, but setkey can't do
that. Is there any other way?
Best regards,
Misak Khachatryan
On Tue, Feb 20, 2018 at 4:47 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
> On 20.02.2018 08:55, Eugene Grosbein wrote:
>>> yes, all output is from same machine. I'll recheck all configs again,
>>> or, if it's OK, I can post them here. The most confusing thing is that
>>> everything worked as a charm several years. And nothing changed in
>>> configurations until logs stars to fill up with these messages and i
>>> tried to play with some settings to troubleshoot.
>>
>> You may be suffering from some kind of massive IPSEC-scanning bots activity
>> that try to expoit IPSEC-related bugs and trigger some memory leak.
>>
>> You should really try 11.1.
>
> 11.1-RELEASE had several bugs in new IPsec code, that were fixed in
> stable/11 branch. So, if you want to try, I recommend to use stable/11.
> Also there is very little chance that some problem will be fixed in 10.x
> branch.
>
> --
> WBR, Andrey V. Elsukov
>
More information about the freebsd-net
mailing list