I have installed ipsec-tools on two machines: one is an AMD K7, the other is a VIA C3. Both of them have the correct CFLAGS (-march=athlon, and -march=c3 respectively). I have not enabled any other CFLAGS apart from (-O3, -pipe, -fomit-frame-pointer). On the K7 machine, the ipsec key management daemon (racoon) works fine. On the C3 machine, it is generating corrupt SA messages. Specifically the first byte of the SA is wrong - it should be '1', meaning Domain Of Interpretation IPSEC. However, the messages sent by this machine always have the first byte to 0x30, which is totally undefined. It is definitely the racoon daemon, as it has a debug mode which dumps the packets it is about to send, and I can see the byte is incorrect. If I compile ipsec-tools on the C3 machine by hand, or after setting the -march to something else, it works fine. Reproducible: Always Steps to Reproduce: 1. Setup ipsec/racoon in transport mode on two machines - just use defaults e.g. from http://www.ipsec-howto.org/t1.html 2. Attempt to communicate between them (e.g. ping one machine from the other) 3. Actual Results: The non-C3 machine's racoon daemon reported "Invalid DOI 0x30". Expected Results: worked :) - well it should _always_ have a DOI of 1. Kernel: 2.6.8.1 GCC: 3.3.4-r1 GLIBC: 2.3.4.20040808 ipsec-tools: 0.3.3 Looks like a GCC bug to me.
I have the same here with a VIA C3 generating this message using ipsec-tools 0.4.0 emerge info: Portage 2.0.51-r8 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.10-gentoo-r1 i686) ================================================================= System uname: 2.6.10-gentoo-r1 i686 VIA Ezra Gentoo Base System version 1.6.8 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Oct 8 2004, 18:27:49)] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.8.5-r2, 1.5, 1.4_p6, 1.6.3, 1.7.9, 1.9.3 sys-devel/binutils: 2.15.92.0.2-r1, 2.15.92.0.2-r2 sys-devel/libtool: 1.5.10-r2 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-march=c3 -O3 -pipe -fomit-frame-pointer" CHOST="i586-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=c3 -O3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.mirror.icd.hu/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/" LDFLAGS="" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X509 acl acpi apache2 apm avi bash-completion berkdb bitmap-fonts chroot crypt cups dba dhcp encode ethereal foomaticdb ftp gd gdbm gif icq imagemagick imap ipv6 java jce jpeg junit kerberos ldap libwww mad mikmod mime motif mpeg mysql nas ncurses nls no-old-linux nptl nptlonly oggvorbis opengl oss pam pdflib perl pic plotutils png postgres pwdb python quicktime readline ruby samba scanner sdl slang spell ssl svga tcpd tetex theora threads tiff truetype unicode usb userlocales xml xml2 xmmsxv zlib"
CFLAGS="" emerge ipsec-tools solves the problem for me...
Should it be reported to ipsec-tools or gcc? Or just put a CFLAGS-filter in the ebuild?
chances are good it's a gcc issue
In 0.5 this issue is temporary solved by filtering the -march=c3 flag, see bug #77369
Hi I have exactly the same issue (racoon sending DOI=0x30) on a Pentium4. ipsec-tools-0.5.2 CFLAGS="-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe" CFLAGS="" emerge ipsec-tools; actually fixes it! But strangely it only happens when using preshared keys. It doesn't happen when using rsa signatures. hmmm - any advice on how to proceed now? /m
Have you tried the later ipsec-tools versions?
Unfortunately I no longer have that VIA C3 machine.
If this is still an issue, please try with the newest stable compiler on your arch and provide us with `emerge info'.
net-firewall/ipsec-tools-0.6.2-r1 has still problems when compiled by gcc-3.4.6 with the following: CFLAGS="-march=pentium4 -O3 -fexpensive-optimizations -fomit-frame-pointer -g0 -pipe" A CFLAGS="-march=pentium4 -O2 -fomit-frame-pointer -g0 -pipe" is enough to fix the problem. Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r13 i686) ================================================================= System uname: 2.6.16-gentoo-r13 i686 Intel(R) Celeron(R) CPU 2.53GHz Gentoo Base System version 1.6.15 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O3 -fexpensive-optimizations -fomit-frame-pointer -g0 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=pentium4 -O3 -fexpensive-optimizations -fomit-frame-pointer -g0 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="http://pandemonium.tiscali.de/pub/gentoo/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://gentoo.inode.at/ ftp://ftp.sh.cvut.cz/MIRRORS/gentoo/gentoo" LANG="en_US.utf8" LC_ALL="en_US.utf8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acl apache2 atm audiofile avi berkdb bitmap-fonts bzip2 caps cli crypt cups curl dlloader dri eds elibc_glibc ethereal expat fam foomaticdb fortran gd gdbm gif gmp gnome gpm gstreamer idn imlib ipv6 isdnlog javascript jpeg kde kernel_linux lcms ldap libg++ libwww mhash ming mmx mng motif mysql ncurses nls nptl nptlonly opengl pam pcre pdflib perl php png postgres pppd python qt qt3 qt4 readline recode reflection samba session slang snmp spell spl sqlite sse sse2 ssl tcltk tcpd tetex threads tiff truetype truetype-fonts type1-fonts udev usb userland_GNU x86 xml xml2 xmlrpc xorg yaz zlib input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_vmmouse video_cards_i810 video_cards_vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
that sucks, but if i were you i would try gcc-4.1.1 as gcc-3.4.6 is dead now ...
(In reply to comment #11) > that sucks, but if i were you i would try gcc-4.1.1 as gcc-3.4.6 is dead now > ... I got a stable (not a ~x86) system. No 4.x, sorry.