IPSec not working after upgrade to 2.2.2



  • I upgraded 7 soekris 6501 boxes over last weekend from 2.1.x to 2.2.2. At first everything looked OK but then I started to get this warning

    "there were errors loading the rule: pfstl: DIOCADDRULE: ooperation not supported by device - The line in question reads 0:"

    So I restarted one of the boxes and lost IPSec tunnel between this box and my HO (2.2.2 also). I checked all settings on both ends and they look OK, also IPSec status says "established" but I can't ping or connect to anything from HO into that network.
    They can sporadically RDP into servers at HO but can't print to the local printers.

    Also system log shows numerous "init: _secure_path: /etc/login.conf is not owned by root" or "login: _secure_path: /etc/login.conf is not owned by root" messages. Not sure if its related

    My home alix box was upgraded to 2.2.2 and has no problems with IPSec'ing to HO.

    upd: other 2 tunnels from this soekris box to other soekris boxes are working fine (all 2.2.2). wth :/




  • Two or three things there I'd like to look into. The "operation not supported by device" with no accompanying details is odd. The IPsec issue looks like an outstanding edge case that we haven't been able to replicate. If you can get me direct or indirect (gotomeeting, similar) access to the system I'd like to check it out. PM me and we can work out details.



  • sent…



  • I had to chown -R root:wheel /etc/ in the GUI to get ssh and console to work.  Upgrade messed it all up.

    It stopped all the messages in sys log



  • @jasonr:

    I had to chown -R root:wheel /etc/ in the GUI to get ssh and console to work.  Upgrade messed it all up.

    I found the source of that issue looking at covex's system. I just fixed that issue, or worked around it at least, by re-issuing the full update files again with "chown -R root:wheel *" of what's within them (when they were re-packed they lost that, which shouldn't matter, but mtree is failing after upgrade from any pre-FreeBSD 10.x base version). We're looking into a proper long-term fix now, but that shouldn't happen upon upgrade to 2.2.2 from 2.1x and earlier versions anymore.


Log in to reply