[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Freeswan won't work with k_deflt-2.4.20-113.i586.rpm was:what has become of the latest kernel hang/freeze bug?
On Mon, 28 Jun 2004, Alexander Maier wrote:
> We have problems with the 2.4 update. We have 2 8.2 systems with problems
> with the latest 8.2 kernel k_deflt-2.4.20-113.i586.rpm. Since the kernel
> update, freeswan1.99 with nat-transversal enabled wont't work anymore. A
> downgrade to the previous kernel k_deflt-2.4.20-111.i586.rpm solved the
> problem. I filled out a bug report at the suse homepage some days ago, but
> no feedback.
> Here a cut of the logfile:
> Jun 17 07:38:27 x0070 pluto: ERROR: "dhcp2" 126.96.36.199:4500 #10:
> pfkey write() of SADB_ADD message 25 for Add ESP SA
> esp.4b3171fc@xxxxxxxxxxxxx failed. Errno 22: Invalid argument
I think this message means that the ipsec.o kernel module and Pluto (the
userspace daemon which is part of the freeswan RPM) are "out of sync".
I got exactly this message (same SuSE, same kernel) after I upgraded the
freeswan RPM from http://www.suse.de/~garloff/linux/FreeSWAN/
without upgrading the ipsec.o module; after installing the matching
km_freeswan and recompiling it everything went smoothly.
Note: I had to upgrade because NAT traversal does *not* work correctly
with plain k_deflt-2.4.20-111!
In particular, when connecting to a Win2000/WinXP client behind a NAT
router, freeswan still uses protocol 50 for encrypted traffic, while it
*should* use UDP port 4500 instead; in some situations it might still
work, but I don't count on it... (Depends on the router, I think -
if it does NAT on protocol 50, it will work, otherwise it won't.)
I didn't update the box in question yet, so I can only theoretize:
perhaps SuSE finally updated ipsec.o, but forgot to update the userspace
In that case, the freeswan RPM on http://www.suse.de/~garloff/linux/FreeSWAN/
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here