Description of problem: On my RHELv3 ES box I've building an IPSec VPN connection to a Debian sarge box running 2.6.3-1-686. I'm using a current CVS snapshot of OpenSWAN for the IKE daemon on both boxes. OpenSWAN's IKE daemon pluto runs the setkey command to create the SAs. In the process of testing, on the RHELv3 ES side I'm getting a SA that won't delete. setkey -F setkey -D 67.161.218.32 66.62.77.2 unspec mode=tunnel spi=1134680608(0x43a1da20) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Apr 27 00:33:41 2004 current: Apr 27 00:59:29 2004 diff: 1548(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3828 refcnt=0 I can only get rid of it with a reboot. Uggggh. I'm not having any such problems on the Debian side. Since both the Debian and RHELv3 are using the same exact OpenSWAN IKE daemon, the problem is either in the kernel or setkey I'd wager. I'm going to upgrade ipsec-tools on the RHEL3 box and see what happens.
Leaving the entry there is not an option as it interferes and doesn't allow for another SA to be established. I have confirmed that the "stuck SA" only occurs when I I configure my tunnel to use compression. I upgraded my ipsec-tools without any change. Looks like a kernel issue. Can you ping/reassign to Dave Miller?
I tried RHEL ES kernel 2.4.21-15.EL. Still broken.
Created attachment 102159 [details] Fix for tunnel leaks This should fix the tunnel leaks when compression is used.
Compling kernel 2.4.21-15.0.3.EL with your patch applied right now. I will report back on the results.
Patch does in fact fix the inability to delete SAD entry. Yah! I can't get compression enabled tunnels to actually work (ping sucessfully as a test) when talking to a remote 2.6.7 gateway. This is no change in this regard with this patch installed, and I would consider it a different bug.
A fix for this problem has just been committed to the RHEL3 U4 patch pool this evening (in kernel version 2.4.21-20.3.EL).
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-550.html