[Openswan dev] recent regression on #public

Bart Trojanowski bart at jukie.net
Sat Aug 5 15:02:11 CEST 2006


I updated my #public and noticed that things stopped working.

After a simple ESP tunnel is setup if I ping east->west, on west I see:

        KLIPS klips_error:ipsec_rcv: got packet with esplen = 104 from 192.168.20.2 -- should be on ENC(12) octet boundary, packet dropped

A bisect narrowed it down to:

        dc5a0c988f39d772d31876d15f2c894e71def3cc is first bad commit
        commit dc5a0c988f39d772d31876d15f2c894e71def3cc
        Author: Michael Richardson <mcr at xelerance.com>
        Date:   Thu Aug 3 21:17:45 2006 -0400

            east-icmp-01 test case revealed that the refcount was too high, and that the ref
            was not getting initialized at all. There was no call to ipsec_sa_intern(), and
            there was a missing ipsec_sa_put().
            
            Signed-off-by: Michael Richardson <mcr at xelerance.com>

        :040000 040000 9c60c3df5cac507c55160b95554ecebb2f7ac14f 09e784df26dadfe235cbe7ded8d0bc25e5cf6e67 M      linux

I can fix it by removing the first two hunks of the patch...

        git diff dc5a0c988f39d772d31876d15f2c894e71def3cc~1..dc5a0c988f39d772d31876d15f2c894e71def3cc \
        | filterdiff -p1 -i linux/net/ipsec/aes/ipsec_alg_aes.c -i linux/net/ipsec/des/ipsec_alg_3des.c \
        | patch -p1 -R

... and now I can ping from east to west again.

I don't really understand the issue yet, but it seems to work when AES and 3DES 
have their ipsec_alg_auth::ixt_common::ixt_support::ias_ivlen set to 0.  Commit
dc5a0c988f39d772d31876d15f2c894e71def3cc sets them to 64.

I am going to remove these from my local repo so that I can still get
some work done, but I don't want to make a global change in case these
should really be in there.

Cheers!
-Bart

-- 
				WebSig: http://www.jukie.net/~bart/sig/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/dev/attachments/20060805/5cfe51f0/attachment.bin


More information about the Dev mailing list