Bug 137888 - ipsec spasms in 2.6.9 kernels
Summary: ipsec spasms in 2.6.9 kernels
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 3
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
Assignee: David Miller
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-02 16:21 UTC by Jost Diederichs
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version: kernel-2.6.12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-15 23:09:46 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jost Diederichs 2004-11-02 16:21:52 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914
Firefox/0.10.1

Description of problem:
After several hours of establishing an ESP/Tunnel, when IPsec-SA
expires, No more IPsec-SA can be successfully negotiated because they
expire instantly.
The racoon log fills up with 10 minutes worth of rapid attempts of
re-establishing IPsec-SA nand racoon eventually gives up. 
If I boot into kernel 2.6.8-1.521, the problem disappears.
A sniplet of the racoon log is below.

Version-Release number of selected component (if applicable):
2.6.9-1.643 or 2.6.9-1.649
Version of ipsec-tools is 0.3.3-1

How reproducible:
Always

Steps to Reproduce:
1. Establish an ESP/Tunnel with racoon
2. wait until IPsec-SA expires

    

Actual Results:  IPsec-SA expires the moment it is established

Expected Results:  Expiry time should be hours, not a fraction of a
second on successive negations

Additional info:

2004-11-01 08:01:46: INFO: @(#)ipsec-tools 0.3.3
(http://ipsec-tools.sourceforge.net)
2004-11-01 08:01:46: INFO: @(#)This product linked OpenSSL 0.9.7a Feb
19 2003 (http://www.openssl.org/)
2004-11-01 08:01:46: INFO: 10.10.10.10[500] used as isakmp port (fd=7)
2004-11-01 08:01:46: INFO: IPsec-SA request for 20.20.20.20 queued due
to no phase1 found.
2004-11-01 08:01:46: INFO: initiate new phase 1 negotiation:
10.10.10.10[500]<=>20.20.20.20[500]
2004-11-01 08:01:46: INFO: begin Identity Protection mode.
2004-11-01 08:01:47: INFO: ISAKMP-SA established
10.10.10.10[500]-20.20.20.20[500] spi:34a145a9cb691fd8:ae187491d658d2f2
2004-11-01 08:01:48: INFO: initiate new phase 2 negotiation:
10.10.10.10[0]<=>20.20.20.20[0]
2004-11-01 08:01:48: INFO: IPsec-SA established: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 08:01:48: INFO: IPsec-SA established: ESP/Tunnel
10.10.10.10->20.20.20.20 spi=312290156(0x129d2b6c)
2004-11-01 09:01:47: INFO: ISAKMP-SA expired
10.10.10.10[500]-20.20.20.20[500] spi:34a145a9cb691fd8:ae187491d658d2f2
2004-11-01 09:01:48: INFO: ISAKMP-SA deleted
10.10.10.10[500]-20.20.20.20[500] spi:34a145a9cb691fd8:ae187491d658d2f2
2004-11-01 14:25:48: INFO: IPsec-SA expired: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:48: INFO: IPsec-SA request for 20.20.20.20 queued due
to no phase1 found.
2004-11-01 14:25:48: INFO: initiate new phase 1 negotiation:
10.10.10.10[500]<=>20.20.20.20[500]
2004-11-01 14:25:48: INFO: begin Identity Protection mode.
2004-11-01 14:25:48: INFO: IPsec-SA expired: ESP/Tunnel
10.10.10.10->20.20.20.20 spi=312290156(0x129d2b6c)
2004-11-01 14:25:49: INFO: ISAKMP-SA established
10.10.10.10[500]-20.20.20.20[500] spi:d8177137987131ac:4ff496abf81143db
2004-11-01 14:25:49: INFO: initiate new phase 2 negotiation:
10.10.10.10[0]<=>20.20.20.20[0]
2004-11-01 14:25:49: INFO: IPsec-SA established: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:49: INFO: IPsec-SA established: ESP/Tunnel
10.10.10.10->20.20.20.20 spi=4143156603(0xf6f38d7b)
2004-11-01 14:25:50: INFO: IPsec-SA expired: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:50: INFO: initiate new phase 2 negotiation:
10.10.10.10[0]<=>20.20.20.20[0]
2004-11-01 14:25:50: INFO: IPsec-SA established: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:50: INFO: IPsec-SA established: ESP/Tunnel
10.10.10.10->20.20.20.20 spi=4031521498(0xf04c22da)
2004-11-01 14:25:51: INFO: IPsec-SA expired: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:51: INFO: initiate new phase 2 negotiation:
10.10.10.10[0]<=>20.20.20.20[0]
2004-11-01 14:25:51: INFO: IPsec-SA established: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:51: INFO: IPsec-SA established: ESP/Tunnel
10.10.10.10->20.20.20.20 spi=4278226393(0xff008dd9)
2004-11-01 14:25:52: INFO: IPsec-SA expired: ESP/Tunnel
20.20.20.20->10.10.10.10 spi=247555709(0xec1667d)
2004-11-01 14:25:52: INFO: initiate new phase 2 negotiation:
10.10.10.10[0]<=>20.20.20.20[0]
[... and on and on and on...]
Comment 1 Dave Jones 2005-07-15 19:55:44 UTC 
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.
Comment 2 Jost Diederichs 2005-07-15 23:07:45 UTC 
Indeed, the problem is gone since kernel-2.6.12-x. 
I recommend closing the bug.
Note You need to log in before you can comment on or make changes to this bug.