Bug 273261

Summary: using ipsec-tools for remote-access client connection to Cisco ASA
Product: [Fedora] Fedora Reporter: Gabriel Somlo <somlo>
Component: ipsec-toolsAssignee: Karl Wirth <kwirth>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-07 02:58:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
contents of file described in 'additional info' section of original report
none
fixed roadwarrior phase1 script
none
offer list of split networks in CIDR notation to phase1 scripts none

Description Gabriel Somlo 2007-08-31 20:53:12 UTC 
Description of problem:
Several bugs in latest ipsec-tools-0.7 prevent successful use as
a remote-access (road-warrior) client to a Cisco ASA 5500 vpn concentrator.

Attached are three patches which were also submitted to the upstream mailing
list which fix this problem.

Also attached are some packaging improvements: a phase1 mode config script,
an init script for the racoon daemon, and patches for the spec file to
incorporate the above mentioned patches and scripts.

Version-Release number of selected component (if applicable):
0.7

How reproducible:

Attempt to connect to a Cisco ASA in remote-access client mode with racoon.

Steps to Reproduce:
1. Configure racoon to connect to a Cisco ASA as suggested in the enclosed
racoon.conf example.
2. Start racoon daemon
3. run 'racoonctl vc <IP-of-Cisco-ASA>
  
Actual results:

vpn session fails to be established

Expected results:

successfully establish a vpn session

Additional info:

uploading tarball with the following content:

ipsec-tools.spec.diff                   changes to spec file
racoon.conf.diff                        changes to included config.file
ipsec-tools-0.7-cvs-dupmode.patch       patch to handle dupe mode config packets
ipsec-tools-0.7-cvs-dupsplit.patch      patch to handle dupe split networks
ipsec-tools-0.7-cvs-iface.patch         patch to set SO_REUSEADDR on sockets
p1_up_down                              phase1 mode config script
racoon.init                             init script for racoon daemon
Comment 1 Gabriel Somlo 2007-08-31 20:53:12 UTC 
Created attachment 184001 [details]
contents of file described in 'additional info' section of original report
Comment 2 Steve Conklin 2007-09-20 16:57:36 UTC 
Everything except the dupmode patch has been put into rawhide. The dupmode patch
wasn't accepted by upstream, but the others were.
Comment 3 Steve Conklin 2007-09-24 17:27:30 UTC 
This bz is now just for the dupmode patch, the others have been added. I'm going
to set this as needinfo from the reporter, and when upstream has resolved the
patch, please set it back to me.

Thanks.
Comment 4 Gabriel Somlo 2007-10-19 18:53:24 UTC 
Turns out the dupmode patch is unnecessary. We can work around that problem
by simply having the phase1_up script check for a previous execution (i.e.,
whether the private VPN address has already been configured on the default
network interface).

I'm uploading a new version of the p1_up_down script which contains this check.

The ipsec-tools maintainers also took issue with the ipcalc-based conversion of
dotted-quad netmask into CIDR notation, and a patch (also uploaded) was applied
to CVS which supplies the phase1 script with a list of split networks directly
in CIDR notation.
Comment 5 Gabriel Somlo 2007-10-19 18:56:16 UTC 
Created attachment 232941 [details]
fixed roadwarrior phase1 script

new script now checks for an already completed previous phase1_up execution
also eliminated conversion from dotted quad netmask to cidr notation as
that functionality is being directly offered by racoon
Comment 6 Gabriel Somlo 2007-10-19 18:57:39 UTC 
Created attachment 232951 [details]
offer list of split networks in CIDR notation to phase1 scripts

this is already in CVS, and is also required by fixed phase1 p1_up_down script
Comment 7 Steve Conklin 2008-02-28 16:18:33 UTC 
I'm sorry, I meant to get this change in with otehr recent patches. It's in
rawhide now, as after that's tested a bit I'll put it in F-8 also.
Comment 8 Fedora Update System 2008-03-24 14:22:58 UTC 
ipsec-tools-0.7-8.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-03-26 17:09:46 UTC 
ipsec-tools-0.7-8.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ipsec-tools'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2661
Comment 11 Bug Zapper 2008-05-14 03:10:19 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Fedora Update System 2008-10-18 12:07:20 UTC 
ipsec-tools-0.7.1-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-5.fc8
Comment 13 Fedora Update System 2008-11-07 02:58:12 UTC 
ipsec-tools-0.7.1-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.