[Openswan dev] Problems with netkey acquires.

Tuomo Soini tis at foobar.fi
Wed Mar 10 16:10:39 EST 2010


Tuomo Soini wrote:
> Tuomo Soini wrote:
>> Tuomo Soini wrote:
>>
>>> Seem like code matching acquire to tunnel configuration is currently broken.
>> Just fyi, commit 00ed7490af2e9adc1a936d38693c872cea1e87ba didn not fix
>> this issue on netkey.
> 
> David. Do you have any idea what's problem here.
> 
> With 2.6.24 you get acquire states which are shown in ipsec auto
> --status and never cleaned up.
> 
> It looks like your change "fixed" this but now these acquire states are
> inserted into xfrm policy directly without matching them to loaded conns.
> 

It seems like david's commit 00ed7490af2e9adc1a936d38693c872cea1e87ba
fixed part of the old acquire state handling problem but accidentally
triggered pluto to insert wrong policy. I attached debug log where
situation is shown quite clearly. Only tunnel is 87.108.67.176/32 -
0.0.0.0/0 in this configuration.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debuglog.txt
Url: http://lists.openswan.org/pipermail/dev/attachments/20100310/98fdc5ff/attachment.txt 


More information about the Dev mailing list