i had previously been having issues with automount being slow with this new kernel and i tracked it down to dns delays which were being caused by ipsec not working. i have spent a few hours poking around and ipsec seems quite broken with this new kernel. esp packets go in and out just fine, but when i look at ip xfrm stats on the machine with the new kernel, i see that for input packets, the ah layer is being processed just fine, but the esp layer is showing 0 bytes/packets and no errors. i can't find any errors or other indications of what is going on. is anyone else running a standard ipsec tunnel (using the standard ifcfg method for creating the tunnel) under this new kernel? i know that a new 5.2 kernel should be coming soon, but i worry that whatever broke this version may happen there as well.
Joe Pruett wrote:> i had previously been having issues with automount being slow with this > new kernel and i tracked it down to dns delays which were being caused > by ipsec not working. i have spent a few hours poking around and ipsec > seems quite broken with this new kernel. esp packets go in and out just > fine, but when i look at ip xfrm stats on the machine with the new > kernel, i see that for input packets, the ah layer is being processed > just fine, but the esp layer is showing 0 bytes/packets and no errors. > i can't find any errors or other indications of what is going on. > > is anyone else running a standard ipsec tunnel (using the standard ifcfg > method for creating the tunnel) under this new kernel? i know that a > new 5.2 kernel should be coming soon, but i worry that whatever broke > this version may happen there as well.See here: http://bugs.centos.org/view.php?id=2853