This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1022560 - openswan creates several tunnels after connection is blocked and then unblocked by iptables
openswan creates several tunnels after connection is blocked and then unblock...
Status: NEW
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Paul Wouters
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 10:14 EDT by Aleš Mareček
Modified: 2017-09-14 07:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleš Mareček 2013-10-23 10:14:23 EDT
Description of problem:
When I use blocking iptables to block UDP 500 on one side, then allow this port again, I'll got 2 tunnels up:

000 #2: "testcon":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27789s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #1: "testcon":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2348s; newest ISAKMP; lastdpd=4s(seq in:17596 out:17595); idle; import:admin initiate

- SNIP (iptables DROP) -
000 #3: "testcon":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #2: "testcon":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 5s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate

000 #4: "testcon":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #5: "testcon":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 5s; nodpd; idle; import:admin initiate
000 #3: "testcon":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #2: "testcon":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 5s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate

- SNIP (iptables: UDP 500 allowed again) -
000 #11: "testcon":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27402s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate
000 #5: "testcon":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2211s; newest ISAKMP; lastdpd=2s(seq in:0 out:0); idle; import:admin initiate
000 #10: "testcon":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28083s; isakmp#9; idle; import:not set
000 #9: "testcon":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2882s; lastdpd=2s(seq in:7619 out:0); idle; import:not set


i:ppc64|m:ppc64 root@ibm-js22-vios-03-lp1 [~]# service ipsec status
IPsec running  - pluto pid: 24887
pluto pid 24887
2 tunnels up
some eroutes exist


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Start a tunnel
2. A> while true; do ipsec auto --status | grep STATE; sleep 10; done
3. B> iptables -A INPUT -j DROP -p udp --dport 500; sleep 200; iptables -F INPUT
4. after "STATE_MAIN_I4" on A, ctrl+c, service ipsec status

Actual results:
IPsec running  - pluto pid: <PID number>
pluto pid <PID number>
2 tunnels up
some eroutes exist

Expected results:
IPsec running  - pluto pid: <PID number>
pluto pid <PID number>
1 tunnels up
some eroutes exist


Additional info:
$ cat /etc/ipsec.conf; echo; cat /etc/ipsec.secrets
version 2.0

config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        protostack=netkey
        interfaces=%defaultroute
        plutodebug=all

conn   testcon
        connaddrfamily=ipv4
        authby=secret
        ike=aes-sha1
        esp=aes-sha1
        left=<IP address #1>
        leftid=<IP address #1>
        right=<IP address #2>
        rightid=<IP address #2>
	dpdaction=restart
	dpddelay=7
	dpdtimeout=30
        auto=add


<IP address #1> <IP address #2> : PSK "secret"

Note You need to log in before you can comment on or make changes to this bug.