150757 – IPSEC SAs are deleted from SAD by mistake when adding more SAs

Bug 150757 - IPSEC SAs are deleted from SAD by mistake when adding more SAs

Summary: IPSEC SAs are deleted from SAD by mistake when adding more SAs

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dave Jones
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-03-10 09:59 UTC by Steve Hill
Modified:	2015-01-04 22:17 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-10-03 00:55:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch to resolve the problem, written and signed off by Patrick McHardy on the netdev list (371 bytes, patch) 2005-03-10 10:01 UTC, Steve Hill	no flags	Details \| Diff
View All

Description Steve Hill 2005-03-10 09:59:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0

Description of problem:
Connecting 2 FC3 boxes together using AH and ESP mode should add 4 SAs (AH and ESP in each direction).  However under some circumstances it reliably deletes the outbound AH SA when adding the outbound ESP SA.  I've worked with the netdev guys to resolve this issue and the patch that was posted to the netdev list fixes it (attached).  I guess it'll be going into an upstream kernel, but this is a show-stopper for IPSEC usage so the fix should really be applied to the stock FC3 kernel.

See the netdev thread for more details: http://oss.sgi.com/projects/netdev/archive/2005-03/msg00493.html

Version-Release number of selected component (if applicable):
kernel-2.6.10-1.770_FC3

How reproducible:
Sometimes

Steps to Reproduce:
1. Set up AH and ESP mode IPSEC with Racoon between a pair of FC3 boxes
2. Usually one or both of the boxes only show 3 SAD entries instead of 4 after Racoon has established the SAs.
3. It's my experience that a set up which exhibits this problem seems to exhibit it reliably every time.

Actual Results:  One of the SAs is removed the the SAD, making the IPSEC connection inoperable in one direction.  Every packet that is sent will lead to the SAs being renegotiated and the same one being lost after negotiation each time.

Expected Results:  All 4 SAs should remain in the SAD until expiry.

Additional info:

Comment 1 Steve Hill 2005-03-10 10:01:09 UTC

Created attachment 111848 [details]
Patch to resolve the problem, written and signed off by Patrick McHardy on the netdev list

Comment 2 Dave Jones 2005-07-15 18:32:43 UTC

An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.

Comment 3 Dave Jones 2005-10-03 00:55:18 UTC

This bug has been automatically closed as part of a mass update.
It had been in NEEDINFO state since July 2005.
If this bug still exists in current errata kernels, please reopen this bug.

There are a large number of inactive bugs in the database, and this is the only
way to purge them.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.