Bug 1597322

Summary: Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
Product: Red Hat Enterprise Linux 7 Reporter: Paul Wouters <pwouters>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:51:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Wouters 2018-07-02 15:04:08 UTC 
Description of problem:
In 3.25, libreswan is now very quick at deleting old IKE/IPsec SA's during the negotiation of a new one when responding to a rekey. This confuses some third party devices (old Cisco VPN 3000 and some Junipers)

This behaviour needs to be relaxed to not change IKEv1 processing, and for IKEv2 to ensure it is only done with seeing INITIAL CONTACT.

Note that this will have one side effect of lingering old connections with Microsoft Windows as a client, because they do not support INITIAL CONTACT in IKEv2. But these should be harmless.
Comment 2 Ondrej Moriš 2018-08-11 10:36:57 UTC 
We are not able to test this issue reliably. Verified SanityOnly. Patch libreswan-3.25-relax-delete.patch is included in the package and is applied correctly.
Comment 4 errata-xmlrpc 2018-10-30 10:51:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3174