[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Freeswan won't work with k_deflt-2.4.20-113.i586.rpm was:what has become of the latest kernel hang/freeze bug?

To: SuSE-Security ML <suse-security@xxxxxxxx>
Subject: Re: [suse-security] Freeswan won't work with k_deflt-2.4.20-113.i586.rpm was:what has become of the latest kernel hang/freeze bug?
From: Martin Köhling <mk@xxxxxxxxxxxxxxxxxx>
Date: Sun, 4 Jul 2004 18:17:28 +0200 (CEST)
Cc: Alexander Maier <alexander.maier@xxxxxxxxxx>
Delivered-to: mailing list suse-security@xxxxxxxx
In-reply-to: <000001c45d26$1ffd4950$1b0117ac@t0055>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm

Hi!

On Mon, 28 Jun 2004, Alexander Maier wrote:

> We have problems with the 2.4 update. We have 2 8.2 systems with problems
> with the latest 8.2 kernel k_deflt-2.4.20-113.i586.rpm. Since the kernel
> update, freeswan1.99 with nat-transversal enabled wont't work anymore. A
> downgrade to the previous kernel k_deflt-2.4.20-111.i586.rpm solved the
> problem. I filled out a bug report at the suse homepage some days ago, but
> no feedback.
>
> Here a cut of the logfile:
> Jun 17 07:38:27 x0070 pluto[845]: ERROR: "dhcp2"[1] 217.187.55.237:4500 #10:
> pfkey write() of SADB_ADD message 25 for Add ESP SA
> esp.4b3171fc@xxxxxxxxxxxxx failed. Errno 22: Invalid argument

I think this message means that the ipsec.o kernel module and Pluto (the
userspace daemon which is part of the freeswan RPM) are "out of sync".

I got exactly this message (same SuSE, same kernel) after I upgraded the
freeswan RPM from http://www.suse.de/~garloff/linux/FreeSWAN/
without upgrading the ipsec.o module; after installing the matching
km_freeswan and recompiling it everything went smoothly.

Note: I had to upgrade because NAT traversal does *not* work correctly
with plain k_deflt-2.4.20-111!

In particular, when connecting to a Win2000/WinXP client behind a NAT
router, freeswan still uses protocol 50 for encrypted traffic, while it
*should* use UDP port 4500 instead; in some situations it might still
work, but I don't count on it... (Depends on the router, I think -
if it does NAT on protocol 50, it will work, otherwise it won't.)

I didn't update the box in question yet, so I can only theoretize:
perhaps SuSE finally updated ipsec.o, but forgot to update the userspace
tools?
In that case, the freeswan RPM on http://www.suse.de/~garloff/linux/FreeSWAN/
might work...

Martin

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Prev by Date: Re: [suse-security] DMZ Setup is killing me!!
Next by Date: Re: [suse-security] SUSE Security Announcement: kernel (SUSE-SA:2004:020)
Previous by thread: Re: [suse-security] kernel update oddity on 9.0 Professional
Next by thread: [suse-security] FWD: Re: Re: Mail verschicken aus Perl-Skript
Index(es):
- Date
- Thread