Re: ipsec setkey and 2.4.21 kernel

To: debian-security@lists.debian.org
Subject: Re: ipsec setkey and 2.4.21 kernel
From: Mark Devin <mdevin@ozemail.com.au>
Date: Fri, 03 Oct 2003 23:10:40 +1000
Message-id: <[🔎] 3F7D7550.1050507@ozemail.com.au>
In-reply-to: <[🔎] 3F7BE110.8090309@ozemail.com.au>
References: <[🔎] 3F7BD5AD.5060207@ozemail.com.au> <[🔎] 3F7BE110.8090309@ozemail.com.au>

Mark Devin wrote:

Mark Devin wrote:
I have been running a custom compiled 2.4.21 kernel using the kernelsource package from Adrian Bunk's site on Woody. I had an ipsec linksetup and it was working well using the Kame implementation whichdebian has backported into the 2.4.21 kernel sources.
I just recompiled my kernel today with the latest 2.4.21 kernel sourcedeb (from Adrian Bunk's site). Now setkey refuses to load my policieswhich are unchanged from what was working before.
Does anyone have any idea how to fix this?

Here is the contents of the file I am passing to setkey:
------------------------------
#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.99.0/24[any] 192.168.99.0/24[any] any
        -P out ipsec esp/tunnel/192.168.1.1-192.168.1.74/require;

spdadd 192.168.99.0/24[any] 192.168.99.0/24[any] any
        -P in ipsec esp/tunnel/192.168.1.74-192.168.1.1/require;
------------------------------
And here is the errors setkey produces:
------------------------------
# setkey -f /etc/ipsec.conf
The result of line 6: Invalid argument.
The result of line 9: Invalid argument.
------------------------------
I have tried recompiling ipsec-tools from unstable sources. I alsomade sure the 2.4.21 kernel headers were being used during the compileprocess for the ipsec-tools package by ensuring the configure scriptwas passed the appropriate --with-kernel-headers parameter indebian/rules.
Any other ideas?
Actually, it seems to only not work when trying to specify a policy torequire tunnel mode. I can load transport policies OK with setkey.However, tunnel mode policies fail with setkey returning "Invalidargument".

A couple of people have suggested that putting a '\' line continuationescape character at the end of the first line of each policy may correctthe problem. Unfortunately this doesn't work and setkey just complainsof a parse error with this.

I am fairly certain that this is a bug in this 2.4.21 kernel sourcerelease since my previous 2.4.21 kernel compiled with the same configworked fine. I haven't changed the file I pass to setkey or myracoon.conf. Also, I note that setkey seems to work OK if policies fortransport mode are used, but fails on tunnel mode policies.


Regards.
Mark.

Reply to:

Follow-Ups:
- Re: ipsec setkey and 2.4.21 kernel
  - From: Mark Devin <mdevin@ozemail.com.au>

References:
- ipsec setkey and 2.4.21 kernel
  - From: Mark Devin <mdevin@ozemail.com.au>
- Re: ipsec setkey and 2.4.21 kernel
  - From: Mark Devin <mdevin@ozemail.com.au>

Prev by Date: Re: ipsec setkey and 2.4.21 kernel
Next by Date: GET http://someStrangeOrExternalDomain.com
Previous by thread: Re: ipsec setkey and 2.4.21 kernel
Next by thread: Re: ipsec setkey and 2.4.21 kernel
Index(es):
- Date
- Thread