Bug 145773 - kernel-2.6.10 breaks ipsec-tools-0.3.3
Summary: kernel-2.6.10 breaks ipsec-tools-0.3.3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ipsec-tools
Version: 3
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-21 13:57 UTC by Ronny Blomme
Modified: 2014-03-17 02:51 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-03-04 23:09:37 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ronny Blomme 2005-01-21 13:57:10 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20040922

Description of problem:
I use FC3 kernel-2.6.9-1.667 with ipsec-tools-0.3.3-2
to create an ipsec tunnel. That worked fine.
Since there is a problem with the ip_conntrack_amanda module in kernel
2.6.9, I had to upgrade to kernel-2.6.10-1.741_FC3. After this
upgrade, the ipsec tunnel stops forwarding packets.
I am running some experiments now with ipsec-tools-0.5-rc1. It seems
this solves my problem.
So please update ipsec-tools in FC3!

Version-Release number of selected component (if applicable):
ipsec-tools-0.3.3-2, kernel-2.6.10-1.741_FC3

How reproducible:
Always

Steps to Reproduce:
1. install minimal FC3
2. upgrade to kernel 2.6.10-1.741_FC3
3. start ipsec-tunnel (start racoon + setkey -f...)
    

Actual Results:  The tunnel does not forward packets

Additional info:

/etc/racoon/racoon.conf:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

log debug;

remote anonymous
{
        exchange_mode aggressive,main;
        lifetime time 1 hour;   # sec,min,hour
        proposal_check obey;    # obey, strict or claim
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}

======================================
script that starts the tunnel on gateway A:
#!/sbin/setkey -f
flush;
spdflush;

spdadd x.y.z.0/22[any] 192.168.127.0/24[any] any -P out ipsec
        esp/tunnel/x.y.z.251-192.168.127.240/require;

spdadd 192.168.127.0/24[any] x.y.z.0/22[any] any -P in ipsec
        esp/tunnel/192.168.127.240-x.y.z.251/require;

=============
similar on gateway B

Comment 1 Bill Nottingham 2005-03-04 23:09:37 UTC
0.5-0.fc{2,3} pushed as a Fedora update.


Note You need to log in before you can comment on or make changes to this bug.