Bug 470575

Summary: ipsec-tools 0.7.1 not establish sa
Product: [Fedora] Fedora Reporter: Alexandre Thieme Reis <thieme.reis>
Component: ipsec-toolsAssignee: Tomas Mraz <tmraz>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: medium    
Version: 9CC: bojan, herrold, mal, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-12 02:52:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
My configuration files. prefixed with gw: gateway configuration, prefixed with client:client configuration
none
client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
none
client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F) none

Description Alexandre Thieme Reis 2008-11-07 18:59:54 UTC 
Created attachment 322883 [details]
My configuration files. prefixed with gw: gateway configuration, prefixed with client:client configuration

Description: ipsec-tools 0.7.1 do not more establish sa. I have a gaetway with a interface connected with a wireless router. My wireless laptop (with kubuntu 8.10 and ipsec-tools 0.7) are connected with the gateway with ipsec tunnel. After upgrade to ipsec 0.7.1 no connection are made. I downgrade to ipsec-tools 0.7 and work fine.


Version-Release number of selected component (if applicable): 0.7.1


How reproducible: ever


Steps to Reproduce:
1. upgrade to ipsec-tools 0.7.1
2. start setkey
3. start racoon
  
Actual results: no tunnel established


Expected results: tunnel established

Additional info: Output (/var/log/messages) on the gateway:

Nov  7 16:20:00 tango racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)                                 
Nov  7 16:20:00 tango racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)             
Nov  7 16:20:00 tango racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"                                     
Nov  7 16:20:00 tango racoon: INFO: Resize address pool from 0 to 255                                                        
Nov  7 16:20:00 tango racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)                                               
Nov  7 16:20:00 tango racoon: INFO: 127.0.0.1[500] used for NAT-T                                                            
Nov  7 16:20:00 tango racoon: INFO: 192.168.1.254[500] used as isakmp port (fd=17)                                           
Nov  7 16:20:00 tango racoon: INFO: 192.168.1.254[500] used for NAT-T                                                        
Nov  7 16:20:00 tango racoon: INFO: 192.168.2.254[500] used as isakmp port (fd=18)                                           
Nov  7 16:20:00 tango racoon: INFO: 192.168.2.254[500] used for NAT-T                                                        
Nov  7 16:20:00 tango racoon: INFO: 10.1.1.254[500] used as isakmp port (fd=19)                                              
Nov  7 16:20:00 tango racoon: INFO: 10.1.1.254[500] used for NAT-T                                                           
Nov  7 16:20:00 tango racoon: INFO: ::1[500] used as isakmp port (fd=20)
Nov  7 16:20:00 tango racoon: INFO: fe80::2e0:7dff:fe89:544a%eth3[500] used as isakmp port (fd=21)
Nov  7 16:20:00 tango racoon: INFO: fe80::208:54ff:feb0:a674%eth0[500] used as isakmp port (fd=22)
Nov  7 16:25:00 tango racoon: ERROR: libipsec failed pfkey check (Invalid SA type)
Nov  7 16:25:00 tango racoon: ERROR: libipsec failed pfkey check (Invalid SA type)
Nov  7 16:25:00 tango racoon: INFO: unsupported PF_KEY message REGISTER


In Client side it's all ok (/var/log/syslog)

Nov  7 16:25:58 valsa racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
Nov  7 16:25:58 valsa racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
Nov  7 16:25:58 valsa racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Nov  7 16:25:58 valsa racoon: INFO: Resize address pool from 0 to 255
Nov  7 16:25:58 valsa racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Nov  7 16:25:58 valsa racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov  7 16:25:58 valsa racoon: INFO: 192.168.2.100[500] used as isakmp port (fd=13)
Nov  7 16:25:58 valsa racoon: INFO: 192.168.2.100[500] used for NAT-T
Nov  7 16:25:58 valsa racoon: INFO: ::1[500] used as isakmp port (fd=23)
Nov  7 16:25:58 valsa racoon: INFO: fe80::20d:f0ff:fe17:1ced%wlan0[500] used as isakmp port (fd=24)
Nov  7 16:26:03 valsa racoon: INFO: IPsec-SA request for 192.168.2.254 queued due to no phase1 found.
Nov  7 16:26:03 valsa racoon: INFO: initiate new phase 1 negotiation: 192.168.2.100[500]<=>192.168.2.254[500]
Nov  7 16:26:03 valsa racoon: INFO: begin Identity Protection mode.
Nov  7 16:26:03 valsa racoon: INFO: received Vendor ID: DPD
Nov  7 16:26:03 valsa racoon: INFO: ISAKMP-SA established 192.168.2.100[500]-192.168.2.254[500] spi:176a0c583d87bbc5:9a4ee8736fd28ee7
Nov  7 16:26:04 valsa racoon: INFO: initiate new phase 2 negotiation: 192.168.2.100[500]<=>192.168.2.254[500]
Nov  7 16:26:04 valsa racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.2.254[0]->192.168.2.100[0] spi=260814603(0xf8bb70b)
Nov  7 16:26:04 valsa racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.2.100[500]->192.168.2.254[500] spi=25536301(0x185a72d)

PS: Excuse my poor english!!!
Comment 1 Tomas Mraz 2008-11-07 20:06:45 UTC 
The client side as of the second log is running 0.7.1 or 0.7 version?

Can you please try to run the gateway with log level debug2 and attach or paste the output?
Comment 2 Alexandre Thieme Reis 2008-11-07 20:22:48 UTC 
Client side run ipsec-tools version 0.7
Comment 3 Alexandre Thieme Reis 2008-11-07 21:36:56 UTC 
Created attachment 322901 [details]
client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
Comment 4 Alexandre Thieme Reis 2008-11-07 21:54:35 UTC 
Created attachment 322904 [details]
 client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
Comment 5 Alexandre Thieme Reis 2008-11-07 21:55:26 UTC 
The racoon.log is racoon.tgz, excuse me!
Comment 6 Alexandre Thieme Reis 2008-11-08 00:32:53 UTC 
If client is ipsec-tools version 0.7.1, also do not work!
Comment 7 Alexandre Thieme Reis 2008-11-08 01:05:48 UTC 
I download ipsec-tools veriosn 0.7.1 from sourceforge ,recompile without patch and racoon work fine!!!
Comment 8 Bojan Smojver 2008-11-08 05:16:07 UTC 
Ditto here folks. An IPSec tunnel that worked with old ipsec-tools doesn't come up any more:
------------------------------------
Nov  8 15:29:57 beauty racoon: INFO: initiate new phase 2 negotiation: <to_IP>[500]<=><from_IP>[500]
Nov  8 15:29:57 beauty racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Nov  8 15:29:57 beauty racoon: WARNING: attribute has been modified.
Nov  8 15:29:57 beauty racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Nov  8 15:29:57 beauty racoon: ERROR: pfkey add failed.
Nov  8 15:29:57 beauty racoon: ERROR: failed to process packet.
Nov  8 15:29:57 beauty racoon: ERROR: phase2 negotiation failed.
Nov  8 15:30:26 beauty racoon: INFO: initiate new phase 2 negotiation: <to_IP>[500]<=><from_IP>[500]
Nov  8 15:30:26 beauty racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Nov  8 15:30:26 beauty racoon: WARNING: attribute has been modified.
Nov  8 15:30:26 beauty racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Nov  8 15:30:26 beauty racoon: ERROR: pfkey add failed.
Nov  8 15:30:26 beauty racoon: ERROR: failed to process packet.
Nov  8 15:30:26 beauty racoon: ERROR: phase2 negotiation failed.
------------------------------------

Reverting back to the old version of ipsec-tools RPM immediately fixes the problem.
Comment 9 Bojan Smojver 2008-11-08 06:39:56 UTC 
Regarding comment #8, I'm connecting to a PIX there.
Comment 10 Tomas Mraz 2008-11-10 10:39:23 UTC 
*** Bug 470738 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2008-11-10 12:52:27 UTC 
ipsec-tools-0.7.1-6.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-6.fc9
Comment 12 Need Real Name 2008-11-10 15:43:24 UTC 
The ipsec-tools-0.7.1-6.fc9.x86_64.rpm 
works for me.
Comment 13 Bojan Smojver 2008-11-10 20:16:11 UTC 
ipsec-tools-0.7.1-6.fc9.i386 works here. Thanks you.
Comment 14 Bojan Smojver 2008-11-10 21:09:08 UTC 
Just gave it +1 karma in bodhi.
Comment 15 Fedora Update System 2008-11-12 02:52:39 UTC 
ipsec-tools-0.7.1-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Alexandre Thieme Reis 2008-11-12 12:35:42 UTC 
Thank you, ipsec-tools now work fine!!!