Error in IPSEC logs

peterclark4

Hi,

I am getting the following error in the IPSEC VPN log:

racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)

After this error occurs the Phase 2 then re-negotiates.

I have found the following after a quick Google if it helps: http://lists.freebsd.org/pipermail/freebsd-bugs/2008-February/028657.html

Peter

sullrich

We already have that patch:

lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
        lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
        lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
        lt->sadb_lifetime_allocations = 0;
        lt->sadb_lifetime_bytes = 0;
        lt->sadb_lifetime_addtime = sp->lifetime;
        lt->sadb_lifetime_usetime = sp->validtime;

peterclark4

I'm running 1.2.1-RC2 built on Wed Nov 19 22:29:39 EST 2008 and am getting this error.

This was a tunnel running between two 1.2 Release machines that was working fine with no errors. I have upgraded one of them to 1.2.1-RC2 and the RC2 machine gets this error.

peterclark4

Just to confirm that I get this error whenever the Phase2 Lifetime expires on the 1.2.1 RC2 machine.

The 1.2 Release machine just processes a new Phase2 request as normal without any errors.

sullrich

I commited a fix yesterday.  Please try a new snapshot:

http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC2-20081126-1732.tgz

peterclark4

I have now loaded the snapsho and am running 1.2.1-RC2 built on Wed Nov 26 17:32:19 EST 2008.

I will check the IPSEC logs later when the Phase2 expires.

peterclark4

I'm sorry to report that I still get the error Message.

On the positive, I only get the message once now and it is only leaving SAD entry.

peterclark4

@peterclark4:

On the positive, I only get the message once now and it is only leaving SAD entry.

Scrap that, 1.2.1-RC2 built on Wed Nov 26 17:32:19 EST 2008 is exhibiting exactly the same as the original RC2 release.

peterclark4

I have upgraded to  1.2.1-RC2 built on Thu Dec 11 06:43:35 EST 2008 and am still getting these error messages.

When it re-negotiates it seems to leave the old SAD entries rather than deleting them.

peterclark4

The latest snapshot : 1.2.1-RC3 built on Mon Dec 15 05:25:39 EST 2008 exhibits the same behaviour.

sullrich

Sorry, cannot reproduce this one.