[Bug 391370] Re: Cannot decapsulate IPv6 from ESP since 2.6.27
Update: Since linux kernel version 2.6.27 (ubuntu) I'm unable run IPv6 over my IPSEC tunnel. So far I've worked around the problem with simply staying with the old kernel version (2.6.25) on that system, but that road has come to an end, and I'm still having problems even with the lastest and greatest of ubuntu linux kernels (2.6.38). I currently have both a working gateway (2.6.25) and a non-working gateway (2.6.38) running with different IPv6-networks behind them, both connected to the same far end with 2.6.25. - the same system which is working with 2.6.25 is non-working with 2.6.27 - IPv4 is working as expected with all kernel versions tried - an IPv6 packet from a network behind a non-working IPSEC gateway is finding it's way out, the response is back sent to the gateway but is never decrypted and sent out on the local network (everything is silent) - the ip xfrm policy looks the same on a working and non-working system, but on the non-working host the output gets ordered according to the index (wow, new feature.. makes me think there may be something here) No matter what, I can't seem to be able to hit the rule which is supposed to trigger the decryption on the non-working host (can't hit any rules at all with IPv6 from the outside world, encrypting does work). Also, on the non-working gateway there are a number of what seems to be per-socket policies: src ::/0 dst ::/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 ... Dunno why they are there, seems as if they can not be flushed or removed in any way. But doesn't seem to be used either, but it is a clear difference between working/non-working. I've also tried upgrading the far end to something more recent (tried 2.6.28 and 2.6.38), but that makes both parties deaf to ESP packets containing IPv6, and also compared the set of loaded kernel modules between a working and non-working, and looked at the kernel configs, but still nothing that catches my attention .. So I'm completely out of suggestions, so I'm thinking bug, but find it quite hard to believe that the linux kernel has been broken like this since 2008. Of course it could be an ubuntu issue, or a severe case of RTFM from my side. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/391370 Title: Cannot decapsulate IPv6 from ESP since 2.6.27 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 391370] Re: Cannot decapsulate IPv6 from ESP since 2.6.27
Dunno what made this bug report incomplete after 9 months of idling here at launchpad. It is now 2011 and we're officially out of IANA IPv4 address space, but there still is not way to run a IPv6 tunnel over IPSEC with Ubuntu Linux kernels = 2.6.27. Just verified with version 2.6.38-3.30, and no luck. I'll file this again and wait for another 18 months, maybe then.. ** Changed in: linux (Ubuntu) Status: Expired = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/391370 Title: Cannot decapsulate IPv6 from ESP since 2.6.27 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 374185] Re: racoon crashes when racoon.conf contains sainfo section for ipv6
The attached patch fixes the problem. A new release will be issued by the ipsec-tools development team (0.7.3). ** Attachment added: lagning.patch http://launchpadlibrarian.net/28263184/lagning.patch -- racoon crashes when racoon.conf contains sainfo section for ipv6 https://bugs.launchpad.net/bugs/374185 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ipsec-tools in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 391370] [NEW] Cannot decapsulate IPv6 from ESP since 2.6.27
Public bug reported: Binary package hint: linux-image Since linux kernel version 2.6.27 IPv6 packages recieved over IPSEC is never decapsulated but silently dropped. It can easily be verified since the module xfrm6_mode_tunnel isn't inserted when installing a SPD containing policies for IPv6 via setkey. Even if manually installed via modprobe, it is never used. The policy itself installs and can be viewed with setkey -DP, but incoming rules for IPv6 never gets any packages. Outgoing (encapsulation) is working. The result of this seems to be total failure of IPv6 over IPSEC for all kernel versions = 2.6.27. Verified working versions: linux-image-2.6.24-23-generic (2.6.24-23.52) linux-image-2.6.25-2-386 (2.6.25-2.3) Verified non-working versions: linux-image-2.6.27-7-generic (2.6.27-7.16) linux-image-2.6.28-11-generic (2.6.28-11.42) linux-image-2.6.28-13-generic (2.6.28-13.44) linux-image-2.6.30-10-generic (2.6.30-10.12) ** Affects: linux-meta (Ubuntu) Importance: Undecided Status: New ** Summary changed: - Cannot decapsulate IPv6 från ESP since 2.6.27 + Cannot decapsulate IPv6 from ESP since 2.6.27 -- Cannot decapsulate IPv6 from ESP since 2.6.27 https://bugs.launchpad.net/bugs/391370 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 391370] Re: Cannot decapsulate IPv6 from ESP since 2.6.27
Oh, B.T.W, if you want to fully verify this you'll have to mend the broken racoon shipped with all Ubuntu since intrepid (ipsec-tools version = 0.7). https://bugs.launchpad.net/bugs/374185 Obviously I'm the only one on earth tunnling IPv6 over IPSEC. -- Cannot decapsulate IPv6 from ESP since 2.6.27 https://bugs.launchpad.net/bugs/391370 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 374185] Re: racoon crashes when racoon.conf contains sainfo section for ipv6
The attached patch fixes the problem. A new release will be issued by the ipsec-tools development team (0.7.3). ** Attachment added: lagning.patch http://launchpadlibrarian.net/28263184/lagning.patch -- racoon crashes when racoon.conf contains sainfo section for ipv6 https://bugs.launchpad.net/bugs/374185 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 374185] Re: racoon crashes when racoon.conf contains sainfo section for ipv6
** Changed in: ipsec-tools (Ubuntu) Assignee: (unassigned) = Ubuntu Core Development Team (ubuntu-core-dev) ** Changed in: ipsec-tools (Ubuntu) Assignee: Ubuntu Core Development Team (ubuntu-core-dev) = (unassigned) -- racoon crashes when racoon.conf contains sainfo section for ipv6 https://bugs.launchpad.net/bugs/374185 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ipsec-tools in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 374185] Re: racoon crashes when racoon.conf contains sainfo section for ipv6
** Changed in: ipsec-tools (Ubuntu) Assignee: (unassigned) = Ubuntu Core Development Team (ubuntu-core-dev) ** Changed in: ipsec-tools (Ubuntu) Assignee: Ubuntu Core Development Team (ubuntu-core-dev) = (unassigned) -- racoon crashes when racoon.conf contains sainfo section for ipv6 https://bugs.launchpad.net/bugs/374185 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 374185] [NEW] racoon crashes when racoon.conf contains sainfo section for ipv6
Public bug reported:
Binary package hint: ipsec-tools
It seems I am the only one on this planet using ipv6. Since ipsec-tools
0.7, when configuring v6 addresses in sainfo section of racoon.conf,
racoon crashes:
$ sudo racoon -F
Foreground mode.
2009-05-09 19:14:34: INFO: @(#)ipsec-tools 0.7
(http://ipsec-tools.sourceforge.net)
2009-05-09 19:14:34: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007
(http://www.openssl.org/)
2009-05-09 19:14:34: INFO: Reading configuration from /etc/racoon/racoon.conf
2009-05-09 19:14:36: INFO: Resize address pool from 0 to 255
*** stack smashing detected ***: racoon terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7c63138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7c630f0]
racoon[0x8073079]
racoon[0x808ac74]
racoon[0x808b015]
racoon[0x8091d8b]
racoon[0x80943e8]
racoon[0x804cfcd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7b8c450]
racoon[0x804cb71]
=== Memory map:
08048000-080bb000 r-xp 08:01 84214 /usr/sbin/racoon
080bb000-080bc000 rw-p 00072000 08:01 84214 /usr/sbin/racoon
080bc000-080e3000 rw-p 080bc000 00:00 0 [heap]
..
Now, this happens without even communicating with the far end.
To reproduce, take for example this rather minimal racoon.conf:
8
remote ::2 {
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address ::1 any address ::2 any
{
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address ::2 any address ::1 any
{
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
8
and start racoon in the forground - it will crash instantly.
Source package: ipsec-tools_0.7-2.1ubuntu1 (9.04)
** Affects: ipsec-tools (Ubuntu)
Importance: Undecided
Status: New
--
racoon crashes when racoon.conf contains sainfo section for ipv6
https://bugs.launchpad.net/bugs/374185
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ipsec-tools in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 374185] [NEW] racoon crashes when racoon.conf contains sainfo section for ipv6
Public bug reported:
Binary package hint: ipsec-tools
It seems I am the only one on this planet using ipv6. Since ipsec-tools
0.7, when configuring v6 addresses in sainfo section of racoon.conf,
racoon crashes:
$ sudo racoon -F
Foreground mode.
2009-05-09 19:14:34: INFO: @(#)ipsec-tools 0.7
(http://ipsec-tools.sourceforge.net)
2009-05-09 19:14:34: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007
(http://www.openssl.org/)
2009-05-09 19:14:34: INFO: Reading configuration from /etc/racoon/racoon.conf
2009-05-09 19:14:36: INFO: Resize address pool from 0 to 255
*** stack smashing detected ***: racoon terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7c63138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7c630f0]
racoon[0x8073079]
racoon[0x808ac74]
racoon[0x808b015]
racoon[0x8091d8b]
racoon[0x80943e8]
racoon[0x804cfcd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7b8c450]
racoon[0x804cb71]
=== Memory map:
08048000-080bb000 r-xp 08:01 84214 /usr/sbin/racoon
080bb000-080bc000 rw-p 00072000 08:01 84214 /usr/sbin/racoon
080bc000-080e3000 rw-p 080bc000 00:00 0 [heap]
..
Now, this happens without even communicating with the far end.
To reproduce, take for example this rather minimal racoon.conf:
8
remote ::2 {
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address ::1 any address ::2 any
{
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address ::2 any address ::1 any
{
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
8
and start racoon in the forground - it will crash instantly.
Source package: ipsec-tools_0.7-2.1ubuntu1 (9.04)
** Affects: ipsec-tools (Ubuntu)
Importance: Undecided
Status: New
--
racoon crashes when racoon.conf contains sainfo section for ipv6
https://bugs.launchpad.net/bugs/374185
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 328519] [NEW] cannot use LOG_EMERG
Public bug reported:
Reference: https://rt.cpan.org/Public/Bug/Display.html?id=17518
Bug in Syslog.pm version 0.13, fixed in 0.14:
cannot use LOG_EMERG or emerg as priority with following error.
syslog: invalid level/facility: emerg at ./syslog.pl line 46
Syslog.pm#syslog (line 632) is
if ($_ eq 'kern' || $num = 0) {
but I think
if ($_ eq 'kern' || $num 0) {
is correct.
** Affects: perl (Ubuntu)
Importance: Undecided
Status: New
--
cannot use LOG_EMERG
https://bugs.launchpad.net/bugs/328519
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I believe applying the propsed patch is becoming increasingly urgent. It is obviously in the 2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it didn't break anything. Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution, especially not for an LTS system. The patch has been verified as working in staging environments, and I believe we have to come to a decision. Maintaining my own version of gnutls for the next 4 years doesn't really appeal to me either.. Also, in my experience it is not uncommon to use home brewed root certificates without the basicConstraints extension, i.e. for authentication of the directory service. This configuration fails with the current ubuntu version. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 305264] Re: gnutls regression: failure in certificate chain validation
I believe applying the propsed patch is becoming increasingly urgent. It is obviously in the 2.6.4 and 2.4.3 releases of GnuTLS and AFAIK, it didn't break anything. Pinning down on 2.0.4-1 of libgnutls13 on is not a long-term solution, especially not for an LTS system. The patch has been verified as working in staging environments, and I believe we have to come to a decision. Maintaining my own version of gnutls for the next 4 years doesn't really appeal to me either.. Also, in my experience it is not uncommon to use home brewed root certificates without the basicConstraints extension, i.e. for authentication of the directory service. This configuration fails with the current ubuntu version. -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 49410] Re: paper format in lpoptions is disregarded
*** This bug is a duplicate of bug 34112 *** Problem is solved with the patched version in latest libgnomeprint2.2-0 (2.12.1-3ubuntu2). Thanx Pascal. ** This bug has been marked a duplicate of bug 34112 gnome programs don't respect ~/.cups/lpoptions -- paper format in lpoptions is disregarded https://launchpad.net/bugs/49410 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 34112] Re: gnome programs don't respect ~/.cups/lpoptions
** Bug 49410 has been marked a duplicate of this bug -- gnome programs don't respect ~/.cups/lpoptions https://launchpad.net/bugs/34112 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
