Bug 444743

Summary: ipsec auto --replace brings down the tunnel
Product: Red Hat Enterprise Linux 5 Reporter: Jakub Hrozek <jhrozek>
Component: openswanAssignee: Steve Grubb <sgrubb>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: mkoci, pwouters, tis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-19 14:29:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2008-04-30 13:42:28 UTC 
Description of problem:
If I configure an IPSec tunnel and later use "ipsec auto --replace", the 
tunnel remains down, i.e. I cannot ping the gateways anymore. ipsec 
auto --status still lists the connection and I have to restart the ipsec 
service to bring it back up (ipsec auto --add $conn; ipsec auto --up $conn 
does not work).

Version-Release number of selected component (if applicable):
openswan-2.6.12-2.el5

How reproducible:
always

Steps to Reproduce:
1. configure an ipsec tunnel
2. ipsec auto --replace
3. ping the second gateway - not reachable
  
Additional info:
I can see warning that replacing a policy is not supported with neykey:
---
000 "west-east" #3: request to replace with shunt a prospective erouted policy 
with netkey kernel --- not yet implemented
000 "west-east": request to delete a unrouted policy with netkey kernel --- 
not yet implemented
---
But if replacing/deleting isn't implemented, the tunnel should remain up..
Comment 1 RHEL Program Management 2008-06-04 16:33:55 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Tuomo Soini 2008-06-05 07:37:00 UTC 
Warning is wrong, ignore it.

ipsec auto --replace will always take tunnel down. --replace is synonym for

ipsec auto --delete conn
ipsec auto --add conn

If you want tunnel back up you should use:

ipsec auto --replace conn && ipsec auto --up conn
Comment 3 Paul Wouters 2008-06-05 17:11:43 UTC 
replacing/deleting has two parts. The kernel policies (phase 2 / ipsec SA) and
the userland policies (phase 1 / ISAKMP). The scripts do both, but the warnings
you see are about the kernel component.

Furthermore, openswan-2.6.14 (and its "rc" pre-releases) do have those
operations implemented for netkey, and they now give 'warnings' about being
experimental. (this is all code in programs/pluto/kernel_netlink.c, related to
the kernel_ops functions)

also, in openswan-2.5.x and up, the "--add" operation is equivalent to
"--replace", as it always does a "--delete" plus "--add".
Comment 5 Steve Grubb 2008-09-19 14:06:16 UTC 
Does this problem still exist in 2.6.14 and current kernel?
Comment 6 Tuomo Soini 2008-09-19 14:14:30 UTC 
See previous comments. This is expected behaviour.
Comment 7 Steve Grubb 2008-09-19 14:29:21 UTC 
ok, closing as not a bug. Thanks for the info.