I'm using IPsec on some 1.5.3 systems (and a 1.5ZC/1.5.2 system), and am
running into problems when things reboot.

First, I suffer from the reboot problem. Could someone explain to me why
we don't have a fix for it? It seems to me the simplest thing is when we
get packets refering to SPIs we don't have keys for, we send back an IKE
message saying I don't know what you're talking about. I know we have the
ability when starting IKE to say we've rebooted, can't we use this in
cases where we don't necessrily want to initiate IKE but believe the other
side is confused?

I have three machines, one of which is a laptop that uses 802.11b. So I
have ESP transport mode going between it and the other two. I'm to the
point where about each time I reboot one of the machines (either the lap
top or the desktops), I have to log into each machine that didn't reboot
and run /etc/rc.d/ipsec reload to get functionality back.

It used to be I could just go to the newly-booted machine and ping the
others from it. But that doesn't seem to work.

All of the machines are using racoon-20011215a. The two i386s (laptop and
one other) are running 1.5.3_RC1, and the macppc is running a 1.5ZC kernel
and 1.5.2 userland.

Suggestions?


The other problem I'm seeing is I think whatever's happening is causing me
to see the key freeing bug (data modified on free list).

Last night when shutting down, on the macppc, I had one of the errors. I
got (hand-copied notes):

data modified on free list e01a3fff size 320 prevtype ??
invalid addr 0xefe01a4c deadbe != deadbeef
unaligned addr e01a3fff size 128 type key mgmt XXX 127

panic was in mountd shutting down.

keydb_delsecpolicy
key_delsp
key_freesp
ipsec4_delete_pcbpolicy
in_pcvdetatch
.L370+4
soclose
soo_close

Thoughts? Unfortunatly I don't have enough space for crash dumps. :-(

Take care,

Bill