Hello Deepak, you can find the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=462731
you'll also find that the bug was in el5 before 2.6.18-164, not the fix. you can find the exact description of the bug and the fix in the bugreport above. if you find any problems with the rpms i have built, please contact me directly, no need to go through the list :) Thanks and good luck, Johannes Am Dienstag, den 10.11.2009, 08:40 -0600 schrieb Gupta, Deepak (Deepak): > > Martin, > > Many thanks for your reply! I appreciate it. > > Your answers are very helpful. To give you some context, we are in an effort > to support IPsec tunnels with RedHat RHEL 5.3 kernel (2.6.18-128) (I > misstyped before, it is not 5.2). And based on your answers, it appears that > strongswan meets our requirements more than openswan (would you agree based > on the requirements I had mentioned?), however, is the kernel issue > (sha256+esp) strongswan specific? I would tend to think that this would be > an issue for all Ipsec solutions. > > Regarding the bug for "ipsec statusall", I googled and saw an email from > Johannes that said that RHEL version 5.4 contains the fix for this, however, > it did not mention the RedHat bug number or the kernel patch. However, > Johannes' email from this morning suggests that this fix went into 5.3 > (2.6.18-164 or earlier). Is this issue Ipsec issue or a strongswan issue? > BTW, if there is any info available on this bug (redhat bug number etc.) or > linux kernel patch, please let us know so we can try to evaluate how best to > apply it. I have done some limited searching for this on RedHat's web site > but did not find this bug for either the 5.3 (2.6.18-128) or 5.4 kernels. > > Regards, > > -Deepak > > > > > -----Original Message----- > From: Martin Willi [mailto:[email protected]] > Sent: Tuesday, November 10, 2009 4:49 AM > To: Gupta, Deepak (Deepak) > Cc: '[email protected]' > Subject: Re: [strongSwan] Strongswan support for RHEL5 > > Hi, > > > Ipsec v3 (RFC's 4301 and 4303) > > The Linux kernel does not completely support the new IPsec standards. It > currently does not support Extended Sequence Numbers or Traffic Selector > ranges (only complete subnets). > > > IKEv2 > > OCSP (over http) for CRL's and CA management Automatic Keying > > Ike=aes128-sha2_256-modp2048 > > This is supported by strongSwan. > > > Esp=aes128-sha2_256 > > The Linux kernel uses an incorrect truncation scheme for ESP packets with > SHA256. You might try to use the patch available at [1] to use the correct > 96-bit truncation. > > > 1. Does strongswan support RHEL5.2 (x86_64 64 bit)? > > It should. There was a bug in earlier RHELs, where querying SAs in the kernel > immediately deletes them. I don't know if this is still correct for 5.2, but > you'll see SAs disappearing when running "ipsec statusall". > > > 2. Are there are any known issues for this version of this OS for the > > IPsec params mentioned above? > > As mentioned. > > > 3. Where can I find rpms for RHEL5? > > There are no official RPMs for RHEL. There is currently a discussion about > spec files on this list, you might want to try one of these. > > Regards > Martin > > [1]http://kerneltrap.org/mailarchive/linux-kernel/2008/6/5/2039114 > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
