Bug 234491

Summary: LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Product: Red Hat Enterprise Linux 5 Reporter: Joy Latten <latten>
Component: ipsec-toolsAssignee: Steve Conklin <sconklin>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: eparis, iboverma, krisw, linda.knippers, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0342 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-27 14:17:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 224041    
Attachments:
Description Flags
Patch to allow racoon to ignore extra ACQUIRES from kernel. none

Description Joy Latten 2007-03-29 16:45:41 UTC 
Description of problem:
With the change made to kernel to not drop first ipsec packet,
sometimes kernel sends ACQUIRES while the very IPSec SAs it need
are being established. The IKE daemon needs to be smarter and 
catch this. It needs smarter checks to make sure a negotiation
is not going on for the ACQUIRE it received.  

Version-Release number of selected component (if applicable):
ipsec-tools-0.6.5-2

How reproducible:
Happens frequently.

Steps to Reproduce:
1.configure ipsec policy between 2 machines using both AH and ESP
2.start racoon on both
3. do a ping.
4. see if 2 identical SAs created for each SA. (should see 8 instead of 4)
5. if you only see 4 SAs. stop racoon and repeat steps 2 and 3.

Actual results:
Frequently creates 2 of the same SA because another ACQUIRE is
sent while negotiating the first one. 


Expected results:
Raccon should ignore additional ACQUIRES for ongoing SA
negotiations.

Additional info:
Have a patch and will submit to ipsec-tools community.
Comment 1 George C. Wilson 2007-04-02 20:26:32 UTC 
Joy has alread submitted a patch to ipsec-tools. Will attach patch to this bug.
Comment 2 Joy Latten 2007-04-02 20:56:34 UTC 
Created attachment 151475 [details]
Patch to allow racoon to ignore extra ACQUIRES from kernel.

This patch was sent to the ipsec-tools list but I have not yet had any response
from the list.
Comment 3 Joy Latten 2007-04-02 20:57:32 UTC 
Also, above patch was built against ipsec-tools cvs tree.
Comment 5 George C. Wilson 2007-04-09 20:16:29 UTC 
sgrubb: Got OK to build.
Comment 6 George C. Wilson 2007-04-10 15:35:17 UTC 
Joy, this needs to be backported to RHEL5.
Comment 7 Steve Grubb 2007-04-10 20:39:35 UTC 
ipsec-tools-0.6.5-6.3 was built to address this issue.
Comment 8 George C. Wilson 2007-04-11 23:47:38 UTC 
Joy, can you verify that this is fixed in a build? Thanks.
Comment 9 Joy Latten 2007-04-12 21:26:34 UTC 
I just tested this and it appears to be working well. Did not see any duplicate
SAs.
Comment 10 Issue Tracker 2007-06-27 17:31:00 UTC 
Hello,
Closing issue per last update.
Thank You
Joe Kachuck

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'

This event sent from IssueTracker by jkachuck 
 issue 117513