Re: Kernel 2.6.10 with IPSEC problems?

[Patrick McHardy <kaber@trash.net>]

Joerg Platte wrote:
> Hi!
> 
> After an upgrade from 2.6.9 to 2.6.10 my IPSEC tunnel does not work as usual. 
> My computer and the VPN-gateway can negotiate and build a tunnel and packets 
> can use the tunnel. But then packets which must be routed get lost somewhere 
> inside the kernel. tcpdump shows them first encrypted in ESP packets and then 
> the unencrypted payload on the same interface. But they do not leave the 
> kernel on the destination interface. Only packets with my computer as 
> destination are processed. I did not change my IPSEC configuration and the 
> kernel was configured using "make oldconfig".
> 
> Is there a problem in the routing layer somewhere inside the kernel or an 
> internal change which requires a configuration change on my side? How can I 
> determine, where and why the packets inside the kernel are thrown away?
> 
> To verify the problem I build a 2.6.10 kernel on the VPN gateway. And this 
> kernel seems to have the same problem. Previously encrypted packets are not 
> routed to th destination.
> 
> Downgrading to 2.6.9 solved the problem in both cases...

Since Linux 2.6.10-rcX. packets from a tunnel-mode SA are dropped if
no policy exists. You most likely only have an input policy, but no
forward policy. If you use setkey to configure your policies,
duplicate the input policy and replace "-P in" with "-P fwd". If you
let racoon generate the policy you need to upgrade to the latest
version. pluto should already get it right.

Regards
Patrick



> 
> Regards,
> Jörg
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>