Greetings,
This seems to be the right place for Linux 2.6 ipsec issues:
Linux 2.6.10 + Virtual Server 1.9.4 + Patrick's IPSEC Netfilter patches
i386 & amd64 (same source for both)
Debian Racoon & ipsec-tools 0.5-4
Setting policies using setkey (not using racoon-tool)
Using both transport and tunnels
Problem:
===# setkey -D | grep '^[0-9]' | wc -l
recv: Resource temporarily unavailable
443
===# setkey -D | grep mature | wc -l
recv: Resource temporarily unavailable
443
===# setkey -D | grep tunnel | wc -l
recv: Resource temporarily unavailable
18
===# setkey -D | grep transport | wc -l
recv: Resource temporarily unavailable
425
===# ps auwx | grep racoon
root 17722 3.8 2.0 178268 168252 ? Ss Mar20 28:39
/usr/sbin/racoon
===# setkey -D -P | grep '^[0-9]' | wc -l
34
===# setkey -D -P | grep transport | wc -l
20
===# setkey -D -P | grep tunnel | wc -l
14
I've seen the number of tunnel SADs go up a bunch too on another
machine. I see that there's been some changes in 2.6.11.3 (or so?)
wrt IPSEC and __xfrm_state_find_acq_byseq(), would that likely fix
this problem? I don't tend to use /unique:x but rather /require; in
my policies, would changing that fix this? I had originally been
using a /24 for my transport policy and thought changing that to be a
bunch of /32 policies for the specific machines I'm talking to would
help- it didn't.
Occationally (generally when I first get ipsec going between a couple
machines) I see pmtu problems which kill that ssh, but after that it
works. Not a big deal but I see alot of MTU discussion and patches,
is that expected to be in 2.6.12?
Thanks for any help,
Stephen
|