Re: [Ipsec-tools-devel] generate_policy (road warrior) issues

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Tue, Jul 20, 2004 at 11:36:22AM +0200, Ard van Breemen wrote:
> So, I am just curious what has changed (I will eventually find
> it, but I will appreciate a kick in the right direction) to find
> out what causes racoon not to update the SPD's anymore.
> (Yes, yes, setkey -PF etc... I know, that's not really the issue,
> the policy is really generated, and then it expires)
Hmmm, currently testing:
racoon: 0.2.2
libipsec: 0.3.3
kernel: 2.6.7-rc2 vs 2.6.8-rc2

The most interesting part: it says it is *updating* the SPD, but
at the moment that appears, the SPD disappears, even though it
had 32 seconds life-time left.
A "patched" version of racoon 0.3.3 (the one that lies in
isakmp_quick about an SPD being available) exhibits the same
behaviour: as soon as it updates the SPD, it receives an
X_SPDUPDATE, and the SPD's dissappear.
Either something is wrong with my systems (debian sid, gcc 3.3.3
and gcc 3.3.4), or this might be the same kernel bug that has
been haunting me when I compiled with PREEMPT=y. (After the spd
times out, schedule is called within an atomic/spin_locked region.)

Just to let me know I am not insane: does anybody else have
problems with "generate_policy on" and expired SPD's?
Or for that matter: problems with temporary SPD's and kernel
2.6.7 and higher?
My working kernel is 2.4.24 with the backport as found in debian
unstable, and ipsec-tools 0.2.2. compiled against that kernel.
(No, I do not use RSA, so I don't think there were security bugs
to bite me).