Bug 121746 - IPSec SAD entry won't flush
IPSec SAD entry won't flush
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-27 03:44 EDT by Dax Kelson
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-20 15:55:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for tunnel leaks (587 bytes, patch)
2004-07-22 17:30 EDT, David Miller
no flags Details | Diff

  None (edit)
Description Dax Kelson 2004-04-27 03:44:44 EDT
Description of problem:

On my RHELv3 ES box I've building an IPSec VPN connection to a Debian
sarge box running 2.6.3-1-686.

I'm using a current CVS snapshot of OpenSWAN for the IKE daemon on
both boxes.  OpenSWAN's IKE daemon pluto runs the setkey command to
create the SAs.

In the process of testing, on the RHELv3 ES side I'm getting a SA that
won't delete.

setkey -F
setkey -D
67.161.218.32 66.62.77.2
        unspec mode=tunnel spi=1134680608(0x43a1da20) reqid=0(0x00000000)
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 27 00:33:41 2004   current: Apr 27 00:59:29 2004
        diff: 1548(s)   hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=3828 refcnt=0

I can only get rid of it with a reboot. Uggggh.

I'm not having any such problems on the Debian side. Since both the
Debian and RHELv3 are using the same exact OpenSWAN IKE daemon, the
problem is either in the kernel or setkey I'd wager.

I'm going to upgrade ipsec-tools on the RHEL3 box and see what happens.
Comment 1 Dax Kelson 2004-04-27 04:04:35 EDT
Leaving the entry there is not an option as it interferes and doesn't
allow for another SA to be established.

I have confirmed that the "stuck SA" only occurs when I I configure my
tunnel to use compression.

I upgraded my ipsec-tools without any change. Looks like a kernel
issue. Can you ping/reassign to Dave Miller?
Comment 2 Dax Kelson 2004-05-12 20:21:20 EDT
I tried RHEL ES kernel 2.4.21-15.EL. Still broken.
Comment 3 David Miller 2004-07-22 17:30:28 EDT
Created attachment 102159 [details]
Fix for tunnel leaks

This should fix the tunnel leaks when compression
is used.
Comment 4 Dax Kelson 2004-07-22 17:44:26 EDT
Compling kernel 2.4.21-15.0.3.EL with your patch applied right now. I
will report back on the results.
Comment 5 Dax Kelson 2004-07-27 00:32:19 EDT
Patch does in fact fix the inability to delete SAD entry. Yah!

I can't get compression enabled tunnels to actually work (ping
sucessfully as a test) when talking to a remote 2.6.7 gateway.

This is no change in this regard with this patch installed, and I
would consider it a different bug.
Comment 6 Ernie Petrides 2004-09-03 20:47:36 EDT
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-20.3.EL).
Comment 7 John Flanagan 2004-12-20 15:55:03 EST
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-550.html

Note You need to log in before you can comment on or make changes to this bug.