From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10.1 Description of problem: After several hours of establishing an ESP/Tunnel, when IPsec-SA expires, No more IPsec-SA can be successfully negotiated because they expire instantly. The racoon log fills up with 10 minutes worth of rapid attempts of re-establishing IPsec-SA nand racoon eventually gives up. If I boot into kernel 2.6.8-1.521, the problem disappears. A sniplet of the racoon log is below. Version-Release number of selected component (if applicable): 2.6.9-1.643 or 2.6.9-1.649 Version of ipsec-tools is 0.3.3-1 How reproducible: Always Steps to Reproduce: 1. Establish an ESP/Tunnel with racoon 2. wait until IPsec-SA expires Actual Results: IPsec-SA expires the moment it is established Expected Results: Expiry time should be hours, not a fraction of a second on successive negations Additional info: 2004-11-01 08:01:46: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) 2004-11-01 08:01:46: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) 2004-11-01 08:01:46: INFO: 10.10.10.10[500] used as isakmp port (fd=7) 2004-11-01 08:01:46: INFO: IPsec-SA request for 20.20.20.20 queued due to no phase1 found. 2004-11-01 08:01:46: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>20.20.20.20[500] 2004-11-01 08:01:46: INFO: begin Identity Protection mode. 2004-11-01 08:01:47: INFO: ISAKMP-SA established 10.10.10.10[500]-20.20.20.20[500] spi:34a145a9cb691fd8:ae187491d658d2f2 2004-11-01 08:01:48: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>20.20.20.20[0] 2004-11-01 08:01:48: INFO: IPsec-SA established: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 08:01:48: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.10->20.20.20.20 spi=312290156(0x129d2b6c) 2004-11-01 09:01:47: INFO: ISAKMP-SA expired 10.10.10.10[500]-20.20.20.20[500] spi:34a145a9cb691fd8:ae187491d658d2f2 2004-11-01 09:01:48: INFO: ISAKMP-SA deleted 10.10.10.10[500]-20.20.20.20[500] spi:34a145a9cb691fd8:ae187491d658d2f2 2004-11-01 14:25:48: INFO: IPsec-SA expired: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:48: INFO: IPsec-SA request for 20.20.20.20 queued due to no phase1 found. 2004-11-01 14:25:48: INFO: initiate new phase 1 negotiation: 10.10.10.10[500]<=>20.20.20.20[500] 2004-11-01 14:25:48: INFO: begin Identity Protection mode. 2004-11-01 14:25:48: INFO: IPsec-SA expired: ESP/Tunnel 10.10.10.10->20.20.20.20 spi=312290156(0x129d2b6c) 2004-11-01 14:25:49: INFO: ISAKMP-SA established 10.10.10.10[500]-20.20.20.20[500] spi:d8177137987131ac:4ff496abf81143db 2004-11-01 14:25:49: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>20.20.20.20[0] 2004-11-01 14:25:49: INFO: IPsec-SA established: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:49: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.10->20.20.20.20 spi=4143156603(0xf6f38d7b) 2004-11-01 14:25:50: INFO: IPsec-SA expired: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:50: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>20.20.20.20[0] 2004-11-01 14:25:50: INFO: IPsec-SA established: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:50: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.10->20.20.20.20 spi=4031521498(0xf04c22da) 2004-11-01 14:25:51: INFO: IPsec-SA expired: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:51: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>20.20.20.20[0] 2004-11-01 14:25:51: INFO: IPsec-SA established: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:51: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.10->20.20.20.20 spi=4278226393(0xff008dd9) 2004-11-01 14:25:52: INFO: IPsec-SA expired: ESP/Tunnel 20.20.20.20->10.10.10.10 spi=247555709(0xec1667d) 2004-11-01 14:25:52: INFO: initiate new phase 2 negotiation: 10.10.10.10[0]<=>20.20.20.20[0] [... and on and on and on...]
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which may contain a fix for your problem. Please update to this new kernel, and report whether or not it fixes your problem. If you have updated to Fedora Core 4 since this bug was opened, and the problem still occurs with the latest updates for that release, please change the version field of this bug to 'fc4'. Thank you.
Indeed, the problem is gone since kernel-2.6.12-x. I recommend closing the bug.