After I decided to switch from linux-2.4.22-gentoo-r4 to linux-2.4.22-gentoo-r5 I got the following problem. A ipsec-tunnel that worked fine for over a year stopped working. I monitored the communication between the two ipsec hosts with tcpdump. And had a look in the /var/log/auth.log => I think the IKE works fine [sent MR3, ISAKMP SA established], but after that something goes wrong in the quickmode. A few second later I get a [ignoring Delete SA payload: IPSEC SA not found (maybe expired)]. 60 seconds later ipsec rekeys. Reproducible: Always Steps to Reproduce: 1. Start IPSEC = ipsec setup restart 2. 3. Actual Results: IKE Phase 1 (Main Mode) works fine. IKE Phase 2 (Quick Mode) gets initiated Then i get a "ignoring Delete SA payload: IPSEC SA not found (maybe expired)]." in the auth.log and 60 sek. later pluto rekeys Expected Results: IKE Phase 2 should accept the SA and work correct # ipsec setup --version ipsec setup super-freeswan-1.99_kb4 If I switch back to linux-2.4.22-gentoo-r4 every thing works fine
*** Bug 38817 has been marked as a duplicate of this bug. ***
I have found an Post in the gentoo forum : "I am using IPSEC on gentoo machines for our VPN. After upgrading one machine to gentoo-sources-2.4.22-r5, I get the following error in the logs when starting the tunnel: Code: ERROR: "conn1" #2: pfkey write() of SADB_ADD message 8 for Add ESP SA <IP REMOVED FOR PRIVACY REASONS> failed. Errno 22: Invalid argument The tunnel does not work. Atfer re-emerging freeswan it did not work either. It worked before with -r4! Any Ideas?" Maybe it helps .....
the only thing that changed between -r4 and -r5 was: netdev_random epoll 20_keventd-rt-1 (from -aa) updated e100 dropped 036_fast-csum sk98lin update (can only be built as a module) 3c2000/3c940 driver(can only be built as a module) systrace I don't know much (anything?) about ipsec, so I don't know if any of those things would have affected it.
What authentication algorithm[s] are you using and which ones are enabled in your configuration? Also, please run ``make menuconfig'' and just exit that; but saving the changes; because some configuration changes were added to -r5 which may cause your problems as a valid authentication algorithm can't be found. When you've done that; can you also attach your .config to this bug please?
Disabling kernel crypto API support seems to fix the problem
Bug fixed. Disabling cryptoapi fixed it.
Closing, bug fixed.