http://bugzilla.novell.com/show_bug.cgi?id=619193 http://bugzilla.novell.com/show_bug.cgi?id=619193#c0 Summary: ipsec incompatibilities to previous versions Classification: openSUSE Product: openSUSE 11.3 Version: RC 1 Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: Release Notes AssignedTo: ke@novell.com ReportedBy: mt@novell.com QAContact: coolo@novell.com CC: agruen@novell.com Found By: --- Blocker: --- There are two changes about kernel ipsec / strongswan, that should IMO be mentioned in release notes: * Added required userland changes for proper SHA256 and SHA384/512 in ESP that will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now configures the kernel with 128 bit truncation, not the non-standard 96 bit truncation used by previous releases. To use the old 96 bit truncation scheme, the new "sha256_96" proposal keyword has been introduced. When the user (updates from 11.2 or) configures ESP on 11.3, e.g. "esp=aes128-sha256" in a connection to a peer with an old kernel, the new and old kernels will be unable to communicate. AFAIS, there is no error or debug message visible about. Workaround is to modify the connections in the ipsec.conf of the new system to use the old/non-standard 96 bit truncation, e.g. "esp=aes128-sha256_96" as described above or e.g. "esp=aes128-sha256_128" on the peer using the old kernel (when the old peer supports it). The another fix is in strongswan: * Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This change makes IPcomp tunnel mode connections incompatible with previous releases; disable compression on such tunnels. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.