Bug 1734058

Summary: libreswan false positive on duplicate acquires leads to ignored IKE requests and packet loss
Product: Red Hat Enterprise Linux 8 Reporter: Paul Wouters <pwouters>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: unspecified Docs Contact:
Priority: high    
Version: 8.2CC: dapospis, pvrabec, sbroz, tjaros, wchadwic
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pwouters: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1734060 1822580 (view as bug list) Environment:
Last Closed: 2020-11-04 03:18:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820206    
Bug Blocks: 1734060, 1755139, 1822580, 1825061    

Description Paul Wouters 2019-07-29 14:32:10 UTC 
There are some (as of yet unknown) scenario's where pluto receives a kernel ACQUIRE for which it already detects it has a valid STATE object. Thus, it interprets these as a "duplicate acquire" and no action is taken. However, the state found does not belong to a valid IPsec SA, and so the tunnel is down and cannot be started because it is deemed up based on the "duplicate" check.

When this happens, packets are dropped for a lack of IPsec SA - or leaked in the clear, depending on whether this was a "private" or "private-or-clear" group state.
Comment 25 errata-xmlrpc 2020-11-04 03:18:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4722