IPsec-tools

Package IPsec-tools contains some utilities to manipulate IPsec connections with Linux-2.6. These tools were ported to Linux from BSD/KAME by Derek Atkins.

Please see the IPsec-tools homepage at SourceForge.net.

Instructions on how to check-out the CVS version are available here.

IPsec-tools release tarballs can be obtained here.

Local downloads

IPsec NAT in linux 2.6
Incomplete HowTo
Resource temporarily unavailable - solution
Linux kernel 2.6.x returns error EAGAIN when a SPD rule requires IPsec connection, but no SA is in place. In such a case racoon is woken up to negotiate the SA with the peer, but the connect(2), sendto(2), ... syscalls return with EAGAIN immediately. This patch inverts the default behaviour of the kernel to block the syscall until an appropriate SA is in place. In most setups this is wanted. In fact I suspect the current kernel code was ment to do this, but it contains a simple typo that lets it do the opposite ;-)
Download: kernel-xfrm-block.diff
Place for your feedback...
Konstantin Shemyak
13th April 2006 at 12:25
kernel-xfrm-block.diff causes repeateable kernel crash
Reply
Hi Michal!

First - thank you very much for this "Resource temporarily unavailable" patch. I am using it now and I do not understand why it is still not in the main kernel trunk.

Second. I am getting repeateable crashes with the patch. The kernel oops messages are at
http://konstantin.shemyak.com/tmp/kernel-xfrm-block-crash.txt

This happens when issuing setkey command on a machine, whose IPSec peer is behind *a slow network*. No crashes were noticed with normal Ethernet, but when the packets from the peer are delayed/dropped (artificially, at the gateway machine), crash happens about each 10th call of setkey.

No crashes were observed with unpatched kernel, although the test could not be repeated 100% the same (because of that EAGAIN).

Kernels tried are 2.6.16-2 and 2.6.9-22.

If you are not planning to solve/look at this problem, could you please suggest me someone else "whom to complain" or maybe give a pointer where to look for the problem - I am very much willing to get this to work.

Thank you!
Oct 4   12:19 kernel-xfrm-block.diff Kernel Crash (by Bob Martin)
Oct 4   12:23 ipsec-tools-0.5cvs20040922.tar.bz2 Reload with Inherits Fails (by Bob Martin)
Apr 13   12:25 kernel-xfrm-block.diff causes repeateable kernel crash (by Konstantin Shemyak)