Red Hat Bugzilla – Bug 121746
IPSec SAD entry won't flush
Last modified: 2007-11-30 17:07:01 EST
Description of problem:
On my RHELv3 ES box I've building an IPSec VPN connection to a Debian
sarge box running 2.6.3-1-686.
I'm using a current CVS snapshot of OpenSWAN for the IKE daemon on
both boxes. OpenSWAN's IKE daemon pluto runs the setkey command to
create the SAs.
In the process of testing, on the RHELv3 ES side I'm getting a SA that
unspec mode=tunnel spi=1134680608(0x43a1da20) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Apr 27 00:33:41 2004 current: Apr 27 00:59:29 2004
diff: 1548(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=3828 refcnt=0
I can only get rid of it with a reboot. Uggggh.
I'm not having any such problems on the Debian side. Since both the
Debian and RHELv3 are using the same exact OpenSWAN IKE daemon, the
problem is either in the kernel or setkey I'd wager.
I'm going to upgrade ipsec-tools on the RHEL3 box and see what happens.
Leaving the entry there is not an option as it interferes and doesn't
allow for another SA to be established.
I have confirmed that the "stuck SA" only occurs when I I configure my
tunnel to use compression.
I upgraded my ipsec-tools without any change. Looks like a kernel
issue. Can you ping/reassign to Dave Miller?
I tried RHEL ES kernel 2.4.21-15.EL. Still broken.
Created attachment 102159 [details]
Fix for tunnel leaks
This should fix the tunnel leaks when compression
Compling kernel 2.4.21-15.0.3.EL with your patch applied right now. I
will report back on the results.
Patch does in fact fix the inability to delete SAD entry. Yah!
I can't get compression enabled tunnels to actually work (ping
sucessfully as a test) when talking to a remote 2.6.7 gateway.
This is no change in this regard with this patch installed, and I
would consider it a different bug.
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-20.3.EL).
An errata has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.