Bug 444575
| Summary: | openswan doesn't delete expired SA's | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | IBM Bug Proxy <bugproxy> | ||||
| Component: | openswan | Assignee: | Avesh Agarwal <avagarwa> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 5.2 | CC: | cward, ebenes, herbert.xu, lwang, pwouters, tgraf, tis | ||||
| Target Milestone: | rc | Keywords: | OtherQA, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | other | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-09-02 11:18:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 253764, 450334 | ||||||
| Attachments: |
|
||||||
------- Comment From tchicks.com 2008-04-30 17:13 EDT------- Red Hat - Can we get confirmation that a fix for this bug is targeted for the zstream release? Thanks! Created attachment 307301 [details]
Fix rekeying on initiator
I wasn't able to reproduce this problem. However, I found that the initiator
wouldn't rekey at all due to a typo. This is fixed by this patch.
If you're still seeing this behaviour please attach the output of ipsec auto
--status and ip -s x s. Thanks!
I'll have a look at it. Also, please use openswan 2.6.14rc6 for testing anything with netkey policies, as some changes were made there to address certain policy related matters. Patch is commited: commit 2b720e1d781aed18733db29bad978756ec46e0f3 Author: Paul Wouters <paul> Date: Mon Jun 2 14:57:47 2008 -0400 Fix for ikev2 rekey [herbert] - moves .timeout_event = EVENT_SA_REPLACE to different state. ------- Comment From tchicks.com 2008-06-19 11:32 EDT------- I tested rekeying in openswan-2.6.14-1.el5_2.1, between ppc and i386. Expired SA's were properly removed from the SAD, so it is working like it should! Moving to CLOSED on IBM's side. ~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~ RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner! If you encounter any issues, please set the bug back to the ASSIGNED state and describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks! Partners, This particular request is of a notably high priority. In order to prepare make the most of this Alpha release, please report back initial test results before the scheduled Beta drop. That way if you encounter any issues, we can work to get additional corrections in before we launch our Public Beta release. Speak with your Partner Manager for additional dates and information. Thank you for your cooperation in this effort. IBM, could I have you please re-test with the Beta bits? In Beta, there have been additional updates to openswan which enable NSS support. Our QE teams would really appreciate that you confirm that no additional regressions have been introduced by this change. Thanks. ~~ Attention - RHEL 5.4 Beta Released! ~~ RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner! If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value. Questions can be posted to this bug or your customer or partner representative. ------- Comment From tyhicks.ibm.com 2009-07-09 17:52 EDT------- Sorry for the lag - this bug is closed on the IBM side and I wasn't giving any attention. Unfortunately, it isn't very likely that I'll have the bandwidth to recreate the environment and verify this for 5.4. ~~ Attention Partners - RHEL 5.4 Snapshot 1 Released! ~~ RHEL 5.4 Snapshot 1 has been released on partners.redhat.com. If you have already reported your test results, you can safely ignore this request. Otherwise, please notice that there should be a fix available now that addresses this particular request. Please test and report back your results here, at your earliest convenience. The RHEL 5.4 exception freeze is quickly approaching. If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. Further questions can be directed to your Red Hat Partner Manager or other appropriate customer representative. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html |
=Comment: #0================================================= TYLER C. HICKS <tchicks.com> - 2008-04-28 14:41 EDT ---Problem Description--- Expired SA's are not deleted from the SAD. Contact Information = Tyler Hicks <tyhicks.ibm.com> ---uname output--- Linux eal5.ltc.austin.ibm.com 2.6.18-90.el5 #1 SMP Tue Apr 15 18:05:09 EDT 2008 i686 i686 i386 GNU/Linux Linux tim-hv4.ltc.austin.ibm.com 2.6.18-90.el5 #1 SMP Tue Apr 15 18:06:56 EDT 2008 ppc64 ppc64 ppc64 GNU/Linux Machine Type = eal5: xSeries 335 tim-hv4: eServer OpenPower 720 ---Debugger--- A debugger is not configured ---Steps to Reproduce--- ipsec.conf: ------------------------------------------ version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="all" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes conn openswan_i386-openswan_ppc left=fc00:0:0:105::22 right=fc00:0:0:105::23 ikev2=insist authby=secret salifetime=30m auto=add ------------------------------------------ $> ipsec auto --up openswan_i386-openswan_ppc I brought up the connection and ran a 4 hour long stress test with the same ipsec.conf on both machines and had 12 SA's at the end of the test. ---Security Component Data--- Userspace tool common name: openswan The userspace tool has the following bit modes: 32 Userspace rpm: openswan-2.6.12