[Openswan dev] recent regression on #public
bart at jukie.net
Sat Aug 5 15:02:11 CEST 2006
I updated my #public and noticed that things stopped working.
After a simple ESP tunnel is setup if I ping east->west, on west I see:
KLIPS klips_error:ipsec_rcv: got packet with esplen = 104 from 192.168.20.2 -- should be on ENC(12) octet boundary, packet dropped
A bisect narrowed it down to:
dc5a0c988f39d772d31876d15f2c894e71def3cc is first bad commit
Author: Michael Richardson <mcr at xelerance.com>
Date: Thu Aug 3 21:17:45 2006 -0400
east-icmp-01 test case revealed that the refcount was too high, and that the ref
was not getting initialized at all. There was no call to ipsec_sa_intern(), and
there was a missing ipsec_sa_put().
Signed-off-by: Michael Richardson <mcr at xelerance.com>
:040000 040000 9c60c3df5cac507c55160b95554ecebb2f7ac14f 09e784df26dadfe235cbe7ded8d0bc25e5cf6e67 M linux
I can fix it by removing the first two hunks of the patch...
git diff dc5a0c988f39d772d31876d15f2c894e71def3cc~1..dc5a0c988f39d772d31876d15f2c894e71def3cc \
| filterdiff -p1 -i linux/net/ipsec/aes/ipsec_alg_aes.c -i linux/net/ipsec/des/ipsec_alg_3des.c \
| patch -p1 -R
... and now I can ping from east to west again.
I don't really understand the issue yet, but it seems to work when AES and 3DES
have their ipsec_alg_auth::ixt_common::ixt_support::ias_ivlen set to 0. Commit
dc5a0c988f39d772d31876d15f2c894e71def3cc sets them to 64.
I am going to remove these from my local repo so that I can still get
some work done, but I don't want to make a global change in case these
should really be in there.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/dev/attachments/20060805/5cfe51f0/attachment.bin
More information about the Dev