Bug 147500
Summary: | IPsec tunnelling AH security association creation problem | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Yue Shi Lai <ylai> |
Component: | kernel | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | davej, jefferson.ogata, rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-21 20:58:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yue Shi Lai
2005-02-08 16:44:28 UTC
Clarification to : a ping will in fact fail by : "connect: Resource temporarily unavailable" The ping is from RHEL 4 Beta 2 to RHEL 3, and it fails repeatedly (i.e. still after about 20 pings with 1 second interval, and not because of the initial ISAKMP negotiation) The hassless AH created looks like this: ah mode=tunnel spi=0(0x00000000) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=larval Note that it has SPI=0 and is essnetially empty. Please try the ipsec-tools at: http://people.redhat.com/notting/ipsec/ Does that help at all? Actually, you *may* be better off trying the kernel at http://people.redhat.com/notting/ipsec/ rather than the ipsec-tools. I am seeing the same problem with a tunnel on RHEL 4. On the initiating side (A), racoon creates SAs for A->B/esp, B->A/esp, and B->A/ah. The A->B/ah is never created, even though the log claims that it is, with a line like: INFO: IPsec-SA established: AH/Tunnel A.A.A.A->B.B.B.B spi=229899015(0xdb3fb07) setkey -D shows this SA on B, but not on A. On the other side, racoon creates all 4 SAs properly. The SPI of the fourth SA--the one missing on the A side--matches the SPI logged on A but not added. If I create the fourth, missing SA by hand using setkey on A, the tunnel starts working. This is with the current kernel from Red Hat for RHEL 4 (2.6.9-5.0.3.EL). I will test with the notting.ipsec kernel... Indeed, the notting.ipsec kernel seems to fix this problem. Can we get an ERRATA? Please? Or some other workaround and an explanation? Okay, a new kernel just came out and now I'm stuck with an insecure kernel until you guys fix this. Am I the only person using ipsec tunneling on RHEL 4? Well, I guess there can't be many of us, actually, since it doesn't work in the stock kernel. Please fix or provide workaround ASAP. This will be fixed in RHEL 4 Update 1. There is a kernel in the beta channel https://rhn.redhat.com/network/software/packages/details.pxt?pid=309164 that has this fix (and I believe has the security fixes that were released as well.) |