lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171117100346.32zc6mv7bc2faamx@gauss3.secunet.de>
Date:   Fri, 17 Nov 2017 11:03:46 +0100
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     Kevin Locke <kevin@...inlocke.name>, <netdev@...r.kernel.org>
Subject: Re: Bisected 4.14 Regression: IPsec transport mode breakage

On Wed, Nov 15, 2017 at 09:46:19AM -0700, Kevin Locke wrote:
> Hi all,
> 
> I am using an L2TP/IPsec (transport mode) VPN connection from a client
> behind a NAT running Debian with strongswan 5.6.0-2 and xl2tpd
> 1.3.10-1 to a Cisco Meraki MX60 with a public IP.  The connection
> works with kernel 4.13 but not with kernel 4.14.  With 4.14 the IPsec
> connection appears to be established correctly but xl2tpd is unable to
> establish the L2TP connection.  The relevant error from syslog is:
> 
> charon: 09[KNL] creating acquire job for policy 192.168.21.10/32[udp/l2f] === X.X.X.X/32[udp/l2f] with reqid {1}
> charon: 12[CFG] trap not found, unable to acquire reqid 1
> 
> I have bisected the issue to commit c9f3f813d462.  I have attached the
> client ipsec.conf as well as the syslog during the connection attempt
> for both c9f3f813d462 (bad) and cf3796675174 (good).  Meraki IPs have
> been redacted to protect the innocent.
> 
> I'd appreciate any assistance in fixing the issue.  Let me know if
> there's anything else I can do to help troubleshoot or test.

The offending commit is already reverted in the 'net' tree
and will be available in mainline soon.

Thanks for the report!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ