Mark Devin wrote:
Mark Devin wrote:
Mark Devin wrote:
I have been running a custom compiled 2.4.21 kernel using the kernel
source package from Adrian Bunk's site on Woody. I had an ipsec link
setup and it was working well using the Kame implementation which
debian has backported into the 2.4.21 kernel sources.
I just recompiled my kernel today with the latest 2.4.21 kernel
source deb (from Adrian Bunk's site). Now setkey refuses to load my
policies which are unchanged from what was working before.
Does anyone have any idea how to fix this?
Here is the contents of the file I am passing to setkey:
------------------------------
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.99.0/24[any] 192.168.99.0/24[any] any
-P out ipsec esp/tunnel/192.168.1.1-192.168.1.74/require;
spdadd 192.168.99.0/24[any] 192.168.99.0/24[any] any
-P in ipsec esp/tunnel/192.168.1.74-192.168.1.1/require;
------------------------------
And here is the errors setkey produces:
------------------------------
# setkey -f /etc/ipsec.conf
The result of line 6: Invalid argument.
The result of line 9: Invalid argument.
------------------------------
I have tried recompiling ipsec-tools from unstable sources. I also
made sure the 2.4.21 kernel headers were being used during the
compile process for the ipsec-tools package by ensuring the configure
script was passed the appropriate --with-kernel-headers parameter in
debian/rules.
Any other ideas?
Actually, it seems to only not work when trying to specify a policy to
require tunnel mode. I can load transport policies OK with setkey.
However, tunnel mode policies fail with setkey returning "Invalid
argument".
A couple of people have suggested that putting a '\' line continuation
escape character at the end of the first line of each policy may correct
the problem. Unfortunately this doesn't work and setkey just complains
of a parse error with this.
I am fairly certain that this is a bug in this 2.4.21 kernel source
release since my previous 2.4.21 kernel compiled with the same config
worked fine. I haven't changed the file I pass to setkey or my
racoon.conf. Also, I note that setkey seems to work OK if policies for
transport mode are used, but fails on tunnel mode policies.
Just replying to myself again for the benefit of any list readers having
similar problems.
There is a bug in the 2.4.21 kernel causing this problem. The 2.4.22
kernel works fine.
Also make sure that ipsec-tools package is compiled against the 2.4.22
kernel headers. This can be done by editing the debian/rules script and
setting the --with-kernel-headers parameter correctly.
Regards.
Mark.