Description of problem: The ipsec-tools 0.8.1 release contains a bug where the initiator will call out using source port 4500 to destination port 500. The responder will then respond from 500 to 4500 but the initiator will not accept the response, presumably because it is not expecting NAT-T (port 4500) packets. Simply changing the existing spec version to 0.8.2, grabbing the upstream source tarball, and rebuilding and upgrading fixes the problem immediately. Version-Release number of selected component (if applicable): ipsec-tools-0.8.1-2.fc20.i686 How reproducible: Always Steps to Reproduce: 1. Set up two Fedora 20 hosts 2. Configure racoon.conf with remote blocks on each host for isakmp, it is not necessary to define any tunnels. 3. Attempt to initiate from one host to the other using racoonctl establish-sa isakmp inet {src} {dst} To see racoon's state: racoonctl -l show-sa isakmp For more info: tcpdump -n -p -i eth0 -s0 -vv udp port 500 or udp port 4500 Actual results: As discussed in the description, the initiator will use port 4500 as the source port of packets but will ignore the responder's replies sent back to 4500. The responder will typically try multiple times. Expected results: The isakmp (phase1) negotiation should complete almost immediately. Only port 500 should be used, particularly if nat_traversal off in the racoon.conf. Additional info: So long as the initiator is upgraded (or downgraded to a version without the bug, e.g. some other distribution like MikroTik) the tunnel can at least be established. It also appears that there may be some magic where some responders will switch to initiator mode and so long as they don't have the bug the tunnel will be established (albeit more slowly than it could have been). This leads to an odd situation where Fedora <-> Fedora tunnels don't work, but tunnels to other products work just fine.
I have worked around this issue by using a 'listen' directive in the configuration file to prevent racoon from binding to port 4500. However, this is not very convenient unless you have a static IP address. I need to generate the racoon configuration file in a dhclient hook script... The bug is still present in Fedora 21.
ipsec-tools-0.8.2-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/ipsec-tools-0.8.2-1.fc21
ipsec-tools-0.8.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ipsec-tools-0.8.2-1.fc20
ipsec-tools-0.8.2-1.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/ipsec-tools-0.8.2-1.el7
Package ipsec-tools-0.8.2-1.el7: * should fix your issue, * was pushed to the Fedora EPEL 7 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing ipsec-tools-0.8.2-1.el7' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-6428/ipsec-tools-0.8.2-1.el7 then log in and leave karma (feedback).
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
ipsec-tools-0.8.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ipsec-tools-0.8.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
ipsec-tools-0.8.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.