Hi! On Mon, 28 Jun 2004, Alexander Maier wrote:
We have problems with the 2.4 update. We have 2 8.2 systems with problems with the latest 8.2 kernel k_deflt-2.4.20-113.i586.rpm. Since the kernel update, freeswan1.99 with nat-transversal enabled wont't work anymore. A downgrade to the previous kernel k_deflt-2.4.20-111.i586.rpm solved the problem. I filled out a bug report at the suse homepage some days ago, but no feedback.
Here a cut of the logfile: Jun 17 07:38:27 x0070 pluto[845]: ERROR: "dhcp2"[1] 217.187.55.237:4500 #10: pfkey write() of SADB_ADD message 25 for Add ESP SA esp.4b3171fc@62.xxx.xxx.xx failed. Errno 22: Invalid argument
I think this message means that the ipsec.o kernel module and Pluto (the userspace daemon which is part of the freeswan RPM) are "out of sync". I got exactly this message (same SuSE, same kernel) after I upgraded the freeswan RPM from http://www.suse.de/~garloff/linux/FreeSWAN/ without upgrading the ipsec.o module; after installing the matching km_freeswan and recompiling it everything went smoothly. Note: I had to upgrade because NAT traversal does *not* work correctly with plain k_deflt-2.4.20-111! In particular, when connecting to a Win2000/WinXP client behind a NAT router, freeswan still uses protocol 50 for encrypted traffic, while it *should* use UDP port 4500 instead; in some situations it might still work, but I don't count on it... (Depends on the router, I think - if it does NAT on protocol 50, it will work, otherwise it won't.) I didn't update the box in question yet, so I can only theoretize: perhaps SuSE finally updated ipsec.o, but forgot to update the userspace tools? In that case, the freeswan RPM on http://www.suse.de/~garloff/linux/FreeSWAN/ might work... Martin