Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Problems with k_deflt-2.4.19-329 and IPSEC
  • From: Daniel Nilsson <dnilsson@xxxxxxxxxx>
  • Date: Tue, 22 Jul 2003 17:08:00 -0400
  • Message-id: <3F1DA7B0.2010700@xxxxxxxxxx>
All,

I upgraded two firewalls to use the new kernel package k_deflt-2.4.19-329 this morning. The upgrade worked fine and the IPSEC tunnel through these firewalls worked fine for a while (about 6 hours). Now the tunnels are down and wont come up again, the kernel is complaining in /var/log/messages:

Jul 22 10:55:12 <hostname> pluto[1273]: "maynard-walter" #8: initiating Main Mode to replace #7
Jul 22 10:55:45 <hostname> pluto[1273]: "maynard-walter" #8: ERROR: asynchronous network error report on eth0 for message to <remote ipsec gateway address> port 500, complainant <local firewall ip address>: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

and then later on:

Jul 22 14:02:30 <hostname> kernel: ; found spi=0x983262c7, dst=XXX.XXX.XXX.XXX, proto=3/ESP
Jul 22 14:02:30 <hostname> kernel: ipsec4_rcv: incoming packet failed policy check; dropped

When I try to restart ipsec, I see the following messages:

/root# /etc/init.d/ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
ipsec_setup: Using /lib/modules/2.4.19-4GB/kernel/net/ipv4/ipsec/ipsec.o
ipsec_setup: /usr/lib/ipsec/_startklips: line 269: /proc/sys/net/ipsec/inbound_policy_check: No such file or directory

I have reverted back to the old kernel, hopefully that will be stable again. Since both machines I upgraded showed that same fault at about the same time, I blame the new kernel... Any thoughts ?

Thanks
--
Daniel Nilsson
Signal Integrity Software Inc.


< Previous Next >
Follow Ups