We should update the 3.19 kernel to 3.19.4
Among other changes it provides https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a which might've been the cause for the aes256gcm crashes in the ipsec setup.
It also fixes other security issues (I'll add a list later on)
In practice, getting this to the to-be-ipsec nodes will take quite some time for cache reboots once it's in the repo and package updated on the hosts...
(I mention the above mainly as a side note about having ipsec rollout date depend on the fix or not)
AFAICS the aes256gcm bug is bypassed with https://phabricator.wikimedia.org/rOPUP1ab5d2ccdb85b37c220c49a3e6678688098dcaeb so that shouldn't be a blocker
3.19.3 was already built in Debian experimental and included the IPSEC patch. Since the 3.19.4 update doesn't fix any further security issues and most of the changes are not relevant for us (e.g. asoc, wireless, arm,powerpc) I added that build the jessie-wikimedia suite on apt.wikimedia.org instead.
This fixes CVE-2015-2150 and CVE-2015-2830.
Berkelium and Curium are now upgraded to Debian's 3.19.3 kernels containing the IPsec patch. Next, I will test the aes256gcm and ESN behavior.