Problems with k_deflt-2.4.19-329 and IPSEC
All, I upgraded two firewalls to use the new kernel package k_deflt-2.4.19-329 this morning. The upgrade worked fine and the IPSEC tunnel through these firewalls worked fine for a while (about 6 hours). Now the tunnels are down and wont come up again, the kernel is complaining in /var/log/messages: Jul 22 10:55:12 <hostname> pluto[1273]: "maynard-walter" #8: initiating Main Mode to replace #7 Jul 22 10:55:45 <hostname> pluto[1273]: "maynard-walter" #8: ERROR: asynchronous network error report on eth0 for message to <remote ipsec gateway address> port 500, complainant <local firewall ip address>: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)] and then later on: Jul 22 14:02:30 <hostname> kernel: ; found spi=0x983262c7, dst=XXX.XXX.XXX.XXX, proto=3/ESP Jul 22 14:02:30 <hostname> kernel: ipsec4_rcv: incoming packet failed policy check; dropped When I try to restart ipsec, I see the following messages: /root# /etc/init.d/ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.98b... ipsec_setup: Using /lib/modules/2.4.19-4GB/kernel/net/ipv4/ipsec/ipsec.o ipsec_setup: /usr/lib/ipsec/_startklips: line 269: /proc/sys/net/ipsec/inbound_policy_check: No such file or directory I have reverted back to the old kernel, hopefully that will be stable again. Since both machines I upgraded showed that same fault at about the same time, I blame the new kernel... Any thoughts ? Thanks -- Daniel Nilsson Signal Integrity Software Inc.
/proc/sys/net/ipsec/inbound_policy_check: No such file or directory
I have reverted back to the old kernel, hopefully that will be stable again. Since both machines I upgraded showed that same fault at about the same time, I blame the new kernel... Any thoughts ?
Yes. To be honest: We messed it up. But rescue is in sight, we'll have a new kernel update (which does not fix this particular problem) plus one ipsec package (which does fix this particular problem) in place shortly. The delays are based on the fact that this kind of kernel update is extremely worksome, as we'd like to do it right.
Thanks -- Daniel Nilsson Signal Integrity Software Inc.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Hi there! Meanwhile, maybe the SuSE guys will release the "official" YOU-version of gcc-3.3, so people can compile their own version of vanilla-kernels... ...or is a M$-like policy? "use only SuSE-kernels!!!" ;) Regards, Radu Roman Drahtmueller wrote:
/proc/sys/net/ipsec/inbound_policy_check: No such file or directory
I have reverted back to the old kernel, hopefully that will be stable again. Since both machines I upgraded showed that same fault at about the same time, I blame the new kernel... Any thoughts ?
Yes. To be honest: We messed it up. But rescue is in sight, we'll have a new kernel update (which does not fix this particular problem) plus one ipsec package (which does fix this particular problem) in place shortly.
The delays are based on the fact that this kind of kernel update is extremely worksome, as we'd like to do it right.
Thanks -- Daniel Nilsson Signal Integrity Software Inc.
Thanks, Roman.
Meanwhile, maybe the SuSE guys will release the "official" YOU-version of gcc-3.3, so people can compile their own version of vanilla-kernels... Use the latest Beta version of fou4s and add the following line to /etc/fou4s.conf: Server=rsync://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/projects/gcc/%VERSION/
Then run fou4s -u to generate the descriptions. To see the packages that are going to be updated, use fou4s -e. Then run fou4s -i --end --nogpg to install the current gcc. Finito :-) You can also install the old gcc 2.95, which is more recommended for compiling kernels, from http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/8.1/suse/i586/gcc_o... It works at least for 8.1 and 8.2. To compile the kernel using the old GCC do export PATH=/opt/gcc295/bin:$PATH LD_LIBRARY_PATH=/opt/gcc295/lib Have a lot of fun ... Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Roman Drahtmueller wrote:
/proc/sys/net/ipsec/inbound_policy_check: No such file or directory
I have reverted back to the old kernel, hopefully that will be stable again. Since both machines I upgraded showed that same fault at about the same time, I blame the new kernel... Any thoughts ?
Yes. To be honest: We messed it up. But rescue is in sight, we'll have a new kernel update (which does not fix this particular problem) plus one ipsec package (which does fix this particular problem) in place shortly.
Roman, I saw the new freeswan package this morning and tried to reinstall the k_deflt-2.4.19-329 package as well as the freeswan-1.98_0.9.14-238.i586.patch.rpm package. These two packages still wont play together though, maybe I misunderstood you and you're saying that I need to wait for a kernel update as well. Anyway, the error messages are: Jul 28 06:19:33 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 06:19:38 <hostname> kernel: NET: 9 messages suppressed. Jul 28 06:19:38 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 06:19:43 <hostname> kernel: NET: 9 messages suppressed. Thanks -- Daniel Nilsson
Roman,
I saw the new freeswan package this morning and tried to reinstall the k_deflt-2.4.19-329 package as well as the freeswan-1.98_0.9.14-238.i586.patch.rpm package. These two packages still wont play together though, maybe I misunderstood you and you're saying that I need to wait for a kernel update as well. Anyway, the error messages are:
Jul 28 06:19:33 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 06:19:38 <hostname> kernel: NET: 9 messages suppressed. Jul 28 06:19:38 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 06:19:43 <hostname> kernel: NET: 9 messages suppressed.
This is strange. It worked well in all of our tests, and I've just tried it out on my machine at home. The originally installed RPM from the CD plus the patch RPM make the new RPM, bitwise. My tunnels work correctly. Now, please make sure that you * Only have one package called k_deflt and freeswan installed * that `rpm -q freeswan` tells you "freeswan-1.98_0.9.14-238". * that you executed mk_initrd and lilo (just in case...) before you have actually rebooted (must be).
Daniel Nilsson
Roman.
--
- -
| Roman Drahtmüller
Roman Drahtmueller wrote:
Roman,
I saw the new freeswan package this morning and tried to reinstall the k_deflt-2.4.19-329 package as well as the freeswan-1.98_0.9.14-238.i586.patch.rpm package. These two packages still wont play together though, maybe I misunderstood you and you're saying that I need to wait for a kernel update as well. Anyway, the error messages are:
Jul 28 06:19:33 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 06:19:38 <hostname> kernel: NET: 9 messages suppressed. Jul 28 06:19:38 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 06:19:43 <hostname> kernel: NET: 9 messages suppressed.
This is strange. It worked well in all of our tests, and I've just tried it out on my machine at home. The originally installed RPM from the CD plus the patch RPM make the new RPM, bitwise. My tunnels work correctly.
Now, please make sure that you
* Only have one package called k_deflt and freeswan installed * that `rpm -q freeswan` tells you "freeswan-1.98_0.9.14-238". * that you executed mk_initrd and lilo (just in case...) before you have actually rebooted (must be).
Roman, So I tried to install the new packages once more, so here goes (from a working 8.1 system): <hostname>:~ # fou4s -in ftp.sunet.se: Checking [#################################] 100 % New freeswan 1.98_0.9.14-238 (old 1.98_0.9.14-72) [recommended, 595kB] [ok] Installing freeswan-1.98_0.9.14-238.i586.patch.rpm New k_deflt 2.4.19-329 (old 2.4.19-110) [security, 19351kB] [ok] Installing k_deflt-2.4.19-329.i586.patch.rpm Starting SuSEconfig, the SuSE Configuration Tool... Running in full featured mode. Reading /etc/sysconfig and updating the system... Executing /sbin/conf.d/SuSEconfig.aaa_at_first... Executing /sbin/conf.d/SuSEconfig.alljava... Executing /sbin/conf.d/SuSEconfig.doublecheck... Executing /sbin/conf.d/SuSEconfig.fonts... Executing /sbin/conf.d/SuSEconfig.groff... Executing /sbin/conf.d/SuSEconfig.hostname... Executing /sbin/conf.d/SuSEconfig.libxml2... Executing /sbin/conf.d/SuSEconfig.man_info... Executing /sbin/conf.d/SuSEconfig.news... Executing /sbin/conf.d/SuSEconfig.perl... Executing /sbin/conf.d/SuSEconfig.permissions... Executing /sbin/conf.d/SuSEconfig.profiles... Executing /sbin/conf.d/SuSEconfig.sendmail... Executing /sbin/conf.d/SuSEconfig.sortpasswd... Finished. WARNING ======= The following processes are accessing deleted files: PID COMMAND 18211 pluto Please restart these processes to finish the update. You can check for used files using the command fou4s --checkdeleted (can be abbreviated with --checkd) or using the command lsof -n | grep RPMDELETE <hostname>:~ # mk_initrd using "/dev/hda3" as root device (mounted on "/" as "reiserfs") creating initrd "/boot/initrd" for kernel "/boot/vmlinuz" (version 2.4.19-4GB) - insmod reiserfs (kernel/fs/reiserfs/reiserfs.o) creating initrd "/boot/initrd.shipped" for kernel "/boot/vmlinuz.shipped" (version 2.4.19-4GB) - insmod reiserfs (kernel/fs/reiserfs/reiserfs.o) Note that I use grub (the default for 8.1 as far as I know), this is the first time a use grub but from reading the docs I can't see any reason why I would have to rerun anythin. Please correct me if I'm wrong here ! *reboot* After the reboot, no go, same stuff: Jul 28 11:52:02 <hostname> kernel: ipsec0: no IPv6 routers present Jul 28 11:52:02 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 11:52:02 <hostname> kernel: ipsec4_rcv: incoming packet failed policy check; dropped Jul 28 11:52:03 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 11:52:07 <hostname> kernel: NET: 7 messages suppressed. Jul 28 11:52:07 <hostname> kernel: ipsec4_rcv: no policy for packet Jul 28 11:52:12 <hostname> kernel: NET: 9 messages suppressed. /root# rpm -qa | grep k_deflt k_deflt-2.4.19-329 /root# rpm -qa | grep freeswan freeswan-1.98_0.9.14-238 /root# rpm -qf /lib/modules/2.4.19-4GB/kernel/net/ipv4/ipsec/ipsec.o k_deflt-2.4.19-329 Go bak to the old kernel, I assume this is safe ??? root# rpm -U --force k_deflt-2.4.19-110.i586.rpm Please do not forget to run 'mk_initrd' after updating the kernel. /root# mk_initrd using "/dev/hda3" as root device (mounted on "/" as "reiserfs") creating initrd "/boot/initrd" for kernel "/boot/vmlinuz" (version 2.4.19-4GB) - insmod reiserfs (kernel/fs/reiserfs/reiserfs.o) creating initrd "/boot/initrd.shipped" for kernel "/boot/vmlinuz.shipped" (version 2.4.19-4GB) - insmod reiserfs (kernel/fs/reiserfs/reiserfs.o) /root# rpm -U --force freeswan-1.98_0.9.14-72.i586.rpm warning: /etc/ipsec.conf created as /etc/ipsec.conf.rpmnew Leave old IPsec RSA signature key untouched. /root# reboot After reboot all is fine again (using the old rpms). -- Daniel Nilsson Principal Consultant Signal Integrity Software Inc. 6 Clock Tower Place, Suite 250 Maynard, MA 01754 Phone: (978) 461-0449, ext 12 Cell: (508) 783-1379 http://www.sisoft.com
actually rebooted (must be).
Roman,
So I tried to install the new packages once more, so here goes (from a working 8.1 system):
[snip]
Note that I use grub (the default for 8.1 as far as I know), this is the first time a use grub but from reading the docs I can't see any reason why I would have to rerun anythin. Please correct me if I'm wrong here !
This is correct. Btw, grub is only default in a standard install, not with updates.
*reboot*
After the reboot, no go, same stuff:
I have done the same thing with my box, but my tunnels work just fine. Would I be asking too much if I asked you for your configuration file? Please XXX private stuff so that it remains unseen by the rest of the world. Sending it to me via PM is very fine. Thanks, Roman.
participants (4)
-
Daniel Nilsson
-
Markus Gaugusch
-
Radu Voicu
-
Roman Drahtmueller