Description of problem: setkey does not process policies correctly. When processing a policy with two rules as a SA bundle it gives an error message: setkey: invalid keymsg length Using just one rule works fine. Version-Release number of selected component (if applicable): # rpm -q ipsec-tools ipsec-tools-0.7.1-6.fc9.i386 # uname -r 2.6.27.5-41.fc9.i686 How reproducible: Always. Steps to Reproduce: 1. Flush policy database: # setkey -FP 2. Load policy with one rule: # echo "spdadd -n 3.0.0.1 5.0.0.1 any -P out ipsec esp/transport//require;" | setkey -c Works! 3. Load policy with two rules: # setkey -FP # echo "spdadd -n 3.0.0.1 5.0.0.1 any -P out ipsec esp/transport//require ah/transport//require;" | setkey -c setkey: invalid keymsg length 4. Subsequently accessing the policy database gives the same error: # setkey -DP setkey: invalid keymsg length Expected results: NO Error Additional info: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/308604: "I found http://patchwork.ozlabs.org/patch/6754/ which shows a patch that fixes the "invalid keymsg length" problem. This has been applied upstream, and should be included in 2.6.28. This corresponds to commit 920da6923cf03c8a78fbaffa408f8ab37f6abfc1 in Linus's tree."
This is a kernel bug.
Fixed upstream in 2.6.27.10.