i had previously been having issues with automount being slow with this new kernel and i tracked it down to dns delays which were being caused by ipsec not working. i have spent a few hours poking around and ipsec seems quite broken with this new kernel. esp packets go in and out just fine, but when i look at ip xfrm stats on the machine with the new kernel, i see that for input packets, the ah layer is being processed just fine, but the esp layer is showing 0 bytes/packets and no errors. i can't find any errors or other indications of what is going on.
is anyone else running a standard ipsec tunnel (using the standard ifcfg method for creating the tunnel) under this new kernel? i know that a new 5.2 kernel should be coming soon, but i worry that whatever broke this version may happen there as well.
Joe Pruett wrote:
i had previously been having issues with automount being slow with this new kernel and i tracked it down to dns delays which were being caused by ipsec not working. i have spent a few hours poking around and ipsec seems quite broken with this new kernel. esp packets go in and out just fine, but when i look at ip xfrm stats on the machine with the new kernel, i see that for input packets, the ah layer is being processed just fine, but the esp layer is showing 0 bytes/packets and no errors. i can't find any errors or other indications of what is going on.
is anyone else running a standard ipsec tunnel (using the standard ifcfg method for creating the tunnel) under this new kernel? i know that a new 5.2 kernel should be coming soon, but i worry that whatever broke this version may happen there as well.
See here:
On Thu, 29 May 2008, Ned Slider wrote:
See here:
thanks. i had looked in the upstream bugzilla and not found anything obvious, but didn't think to look at the centos bug database. i'll remember that for next time.
Joe Pruett wrote:
thanks. i had looked in the upstream bugzilla and not found anything obvious, but didn't think to look at the centos bug database. i'll remember that for next time.
we tried to get that note included in the update release announcement sent to the centos-announce list, but the release system i am using does not like url's in the comments section ( yes, i know - needs fixing )
-
Joe Pruett -
Karanbir Singh -
Ned Slider