Error in IPSEC logs
-
Hi,
I am getting the following error in the IPSEC VPN log:
racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
After this error occurs the Phase 2 then re-negotiates.
I have found the following after a quick Google if it helps: http://lists.freebsd.org/pipermail/freebsd-bugs/2008-February/028657.html
Peter
-
We already have that patch:
lt = (struct sadb_lifetime *)(mtod(m, caddr_t) + len / 2);
lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
lt->sadb_lifetime_allocations = 0;
lt->sadb_lifetime_bytes = 0;
lt->sadb_lifetime_addtime = sp->lifetime;
lt->sadb_lifetime_usetime = sp->validtime; -
I'm running 1.2.1-RC2 built on Wed Nov 19 22:29:39 EST 2008 and am getting this error.
This was a tunnel running between two 1.2 Release machines that was working fine with no errors. I have upgraded one of them to 1.2.1-RC2 and the RC2 machine gets this error.
-
Just to confirm that I get this error whenever the Phase2 Lifetime expires on the 1.2.1 RC2 machine.
The 1.2 Release machine just processes a new Phase2 request as normal without any errors.
-
I commited a fix yesterday. Please try a new snapshot:
http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC2-20081126-1732.tgz
-
I have now loaded the snapsho and am running 1.2.1-RC2 built on Wed Nov 26 17:32:19 EST 2008.
I will check the IPSEC logs later when the Phase2 expires.
-
I'm sorry to report that I still get the error Message.
On the positive, I only get the message once now and it is only leaving SAD entry.
-
On the positive, I only get the message once now and it is only leaving SAD entry.
Scrap that, 1.2.1-RC2 built on Wed Nov 26 17:32:19 EST 2008 is exhibiting exactly the same as the original RC2 release.
-
I have upgraded to 1.2.1-RC2 built on Thu Dec 11 06:43:35 EST 2008 and am still getting these error messages.
When it re-negotiates it seems to leave the old SAD entries rather than deleting them.
-
The latest snapshot : 1.2.1-RC3 built on Mon Dec 15 05:25:39 EST 2008 exhibits the same behaviour.
-
Sorry, cannot reproduce this one.