Re: pf_key_v2_write problems

[Hakan Olsson <ho@crt.se>]

The recent, perhaps "most common", problems regarding pf_key_v2_write
messages have been due to a bug where a string that needed to be
nullterminated, was not.

This only appeared for identity strings of lengths 8, 16, 24 and so on, as
PF_KEYv2 takes data in chunks of 8 bytes. If all those 8 bytes were "data"
and did not contain the null termination, it failed with an EINVAL error.

All other identity strings work fine. Unfortunately, we missed this in
time for the 2.9 CD.

The patch (included in the -STABLE branch) to fix it is:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/004_isakmpd.patch

Otherwise, yes, since whenever isakmpd talks to the kernel to setup the
SAs, flows and whatnot, it does so using the PF_KEYv2 protocol. If your
kernel and userland are out of sync... well, we try to keep things
backwards compatible, but sometimes we cannot, or we miss things.

//Håkan

On 14 xxx -1 auto267250@hushmail.com wrote:

> Probably the most unanswered question in the list is dealing with problems
> with isakmpd and the pf_key_v2_write error messge. I could find only one
> answer from a isakmpd developer:
>
> >Make sure your kernel and userland are in sync.
> >-Angelos
>
> Well I did. I did a fresh install with the 2.9 cdroms.
>
> And there are some answers that a reboot might help. I did that to, And
> that didn't work either. These are answers you could expect on a microsoft
> list.
>
> Could somebody please shed some technical light about this problem. How
> about all these people who had the same problem. Were you able to fix it,
>  or did you gave up?

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB