Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 38814 - Ipsec + linux-2.4.22-gentoo-r5 dont work together
Summary: Ipsec + linux-2.4.22-gentoo-r5 dont work together
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: x86-kernel@gentoo.org (DEPRECATED)
URL:
Whiteboard:
Keywords:
: 38817 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-01-20 06:20 UTC by cmueller
Modified: 2004-04-08 22:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description cmueller 2004-01-20 06:20:48 UTC 
After I decided to switch from linux-2.4.22-gentoo-r4 to linux-2.4.22-gentoo-r5 I got the following problem.

A ipsec-tunnel that worked fine for over a year stopped working.

I monitored the communication between the two ipsec hosts with tcpdump.
And had a look in the /var/log/auth.log =>

I think the IKE works fine [sent MR3, ISAKMP SA established], but after that something goes wrong in the quickmode. A few second later I get a [ignoring Delete SA payload:
 IPSEC SA not found (maybe expired)].

60 seconds later ipsec rekeys.

Reproducible: Always
Steps to Reproduce:
1. Start IPSEC = ipsec setup restart
2.
3.

Actual Results:  
IKE Phase 1 (Main Mode) works fine.
IKE Phase 2 (Quick Mode) gets initiated
Then i get a "ignoring Delete SA payload:
IPSEC SA not found (maybe expired)]." in the auth.log and 60 sek. later pluto rekeys

Expected Results:  
IKE Phase 2 should accept the SA and work correct

# ipsec setup --version    
ipsec setup super-freeswan-1.99_kb4

If I switch back to linux-2.4.22-gentoo-r4 every thing works fine
Comment 1 cmueller 2004-01-20 06:33:21 UTC 
*** Bug 38817 has been marked as a duplicate of this bug. ***
Comment 2 cmueller 2004-01-20 06:48:04 UTC 
I have found an Post in the gentoo forum :

"I am using IPSEC on gentoo machines for our VPN. After upgrading one machine to gentoo-sources-2.4.22-r5, I get the following error in the logs when starting the tunnel: 

Code:

ERROR: "conn1" #2: pfkey write() of SADB_ADD message 8 for Add ESP SA <IP REMOVED FOR PRIVACY REASONS> failed. Errno 22: Invalid argument 



The tunnel does not work. 
Atfer re-emerging freeswan it did not work either. 
It worked before with -r4! 
Any Ideas?"

Maybe it helps .....
Comment 3 Brian Jackson (RETIRED) gentoo-dev 2004-01-24 18:31:38 UTC 
the only thing that changed between -r4 and -r5 was:
netdev_random
epoll
20_keventd-rt-1 (from -aa)
updated e100
dropped 036_fast-csum
sk98lin update (can only be built as a module)
3c2000/3c940 driver(can only be built as a module)
systrace

I don't know much (anything?) about ipsec, so I don't know if any of those things would have affected it.
Comment 4 Tim Yamin (RETIRED) gentoo-dev 2004-01-25 02:24:21 UTC 
What authentication algorithm[s] are you using and which ones are enabled in your configuration? Also, please run ``make menuconfig'' and just exit that; but saving the changes; because some configuration changes were added to -r5 which may cause your problems as a valid authentication algorithm can't be found. When you've done that; can you also attach your .config to this bug please?
Comment 5 Enrico Horn 2004-01-26 06:25:34 UTC 
Disabling kernel crypto API support seems to fix the problem
Comment 6 Jason Cox (RETIRED) gentoo-dev 2004-04-08 22:19:05 UTC 
Bug fixed. Disabling cryptoapi fixed it.
Comment 7 Jason Cox (RETIRED) gentoo-dev 2004-04-08 22:19:25 UTC 
Closing, bug fixed.