Hi, I've replaced a 4.10 server with a 5-current (Jul 18, without PREEMPTION, with MSIZE=512) one. Both have the same IPSEC config (kernel, setkey, racoon, gif). But the 5-current one isn't able to transfer data over the VPN (no ping, no telnet to a port on a host on the other side of the tunnel). Racoon is able to negotiate a connection: ---snip--- # setkey -D No SAD entries. # ping host_behind_b: [waiting long enough, but no output] [ctrl-c] # setkey -D a b esp mode=tunnel spi=3635833369(0xd8b66a19) reqid=0(0x00000000) E: 3des-cbc 11d159c7 53846874 895eacfd 66074dc4 36350ac2 f09fe17a A: hmac-md5 bf041de9 225ebf60 dac19d00 23653b39 seq=0x00000002 replay=4 flags=0x00000000 state=mature created: Aug 5 22:10:27 2004 current: Aug 5 22:10:30 2004 diff: 3(s) hard: 300(s) soft: 240(s) last: Aug 5 22:10:28 2004 hard: 0(s) soft: 0(s) current: 272(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 2 hard: 0 soft: 0 sadb_seq=1 pid=561 refcnt=2 b a esp mode=tunnel spi=116056914(0x06eae352) reqid=0(0x00000000) E: 3des-cbc 053d94f1 edef8617 69d25dca e69ec7db ad3c9a1a 0838a24c A: hmac-md5 04d024d9 96b2c61e 6ecc79e4 f2393bc4 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Aug 5 22:10:27 2004 current: Aug 5 22:10:30 2004 diff: 3(s) hard: 300(s) soft: 240(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=561 refcnt=1 ---snip--- tcpdump while doing a "ping host_behind_b": ---snip--- 21:43:53.966704 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:43:55.112454 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E] 21:43:55.120021 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:44:55.331956 IP b.500 > a.500: isakmp: phase 2/others ? inf[E] 21:47:14.475946 IP a > b: ESP(spi=0x754e1e4d,seq=0x1) 21:47:14.484644 IP b > a: ESP(spi=0x03a777cb,seq=0x1) 21:47:15.483319 IP a > b: ESP(spi=0x754e1e4d,seq=0x2) 21:47:15.489887 IP b > a: ESP(spi=0x03a777cb,seq=0x2) 21:47:16.493331 IP a > b: ESP(spi=0x754e1e4d,seq=0x3) 21:47:16.499916 IP b > a: ESP(spi=0x03a777cb,seq=0x3) 21:47:17.503348 IP a > b: ESP(spi=0x754e1e4d,seq=0x4) 21:47:17.514614 IP b > a: ESP(spi=0x03a777cb,seq=0x4) 21:47:18.513362 IP a > b: ESP(spi=0x754e1e4d,seq=0x5) 21:47:18.520057 IP b > a: ESP(spi=0x03a777cb,seq=0x5) 21:47:56.970054 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:47:58.115081 IP b.500 > a.500: isakmp: phase 2/others ? oakley-quick[E] 21:47:58.122636 IP a.500 > b.500: isakmp: phase 2/others ? oakley-quick[E] 21:49:00.330423 IP b.500 > a.500: isakmp: phase 2/others ? inf[E] 21:53:00.318424 IP b.500 > a.500: isakmp: phase 2/others ? inf[E] ---snip--- tcpdump on the gif interface shows nothing. "netstat -s -p ipsec" reports: ---snip--- ipsec: 106 inbound packets processed successfully 0 inbound packets violated process security policy 0 inbound packets with no SA available 0 invalid inbound packets 0 inbound packets failed due to insufficient memory 0 inbound packets failed getting SPI 0 inbound packets failed on AH replay check 0 inbound packets failed on ESP replay check 0 inbound packets considered authentic 0 inbound packets failed on authentication ESP input histogram: 3des-cbc: 106 102 outbound packets processed successfully 0 outbound packets violated process security policy 5 outbound packets with no SA available 0 invalid outbound packets 0 outbound packets failed due to insufficient memory 0 outbound packets with no route ESP output histogram: 3des-cbc: 102 7526 SPD cache lookups 3235 SPD cache misses ---snip--- A kernel with FAST_IPSEC instead of IPSEC works as expected (ping reports the round trip time, tcpdump shows traffic on the gif interface and a quick test with telnet to a port on host_behind_b shows the expected output). The system is supposed to go into production soon, so I can't guarantee I can do "expensive" tests if someone comes up with a patch or needs some data which is only available if IPSEC instead of FAST_IPSEC is used. Bye, Alexander. -- I'm available to get hired (preferred in .lu). http://www.Leidinger.net Alexander _at_ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7Received on Thu Aug 05 2004 - 18:29:58 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:04 UTC