IPsec-tools

Package IPsec-tools contains some utilities to manipulate IPsec connections with Linux-2.6. These tools were ported to Linux from BSD/KAME by Derek Atkins.

Please see the IPsec-tools homepage at SourceForge.net.

Instructions on how to check-out the CVS version are available here.

IPsec-tools release tarballs can be obtained here.

Local downloads

IPsec NAT in linux 2.6
Incomplete HowTo
Resource temporarily unavailable - solution
Linux kernel 2.6.x returns error EAGAIN when a SPD rule requires IPsec connection, but no SA is in place. In such a case racoon is woken up to negotiate the SA with the peer, but the connect(2), sendto(2), ... syscalls return with EAGAIN immediately. This patch inverts the default behaviour of the kernel to block the syscall until an appropriate SA is in place. In most setups this is wanted. In fact I suspect the current kernel code was ment to do this, but it contains a simple typo that lets it do the opposite ;-)
Download: kernel-xfrm-block.diff
Place for your feedback...
Bob Martin
4th October 2004 at 12:19
kernel-xfrm-block.diff Kernel Crash
Reply
Hi,

Using SuSE 9.1 Pro, with the latest YOU updates. Kernel 2.6.5-7.108-default.

I applied the patch manually. At first it appeared to behave as expected, queueing the packets. However if data was flowing through the connection and racoon, version 0.3.3-1.2 supplied as part of SuSE install and updated using YOU, was restarted there would be a complete crash. No messages relating to the crash appeared in the messages file, even with the debug turned on in the racoon.conf. Other debug messages were seen OK. This was repeatable.

As a workaround I have a simple way to bring the tunnels up ready by re-reading the setkey.conf file. This only works if the entry is for udp or any. If for example the entry is for tcp it doesn't work.

When excepting icmp there appears to be a difference between using ping and fping on the machine that is the gateway. If ping is used it appears that it considers it to be initially udp and tries to set up a tunnel, then sends the ping requests in the clear. If fping is used then it behaves correctly! I'll put this on the main mailing list with details of the test config file.

SuSE do not appear to have fixed the spddelete bug in the kernel module. I am now using the latest vanilla kernel that has the fix. I haven't tried applying the patch to this to queue the packets, as I'm not aware of any other differences that would effect this.

Thanks,
Bob
Oct 4   12:19 kernel-xfrm-block.diff Kernel Crash (by Bob Martin)
Oct 4   12:23 ipsec-tools-0.5cvs20040922.tar.bz2 Reload with Inherits Fails (by Bob Martin)
Apr 13   12:25 kernel-xfrm-block.diff causes repeateable kernel crash (by Konstantin Shemyak)