Red Hat Bugzilla – Bug 176455
[CM] [RHEL4] IPSec Kernel Bug
Last modified: 2014-06-18 03:35:09 EDT
I already cooked up a patch so I'll take this.
Created attachment 137740 [details]
backport of immediate SA switchover patch from upstream
Instead of using RHEL3's patch as a base, I backported the original upstream
patch here, since it was a little closer to the RHEL4 codebase. The original
patch is here:
There is another patch, however, that we might want to consider, which looks
like it fixed some deficiencies of the original patch:
Dave, you're more familiar with this code than I. Should I backport that one
Created attachment 137743 [details]
respun patch, include dst->obsolete < 0 check
Respun patch that includes the later patch to correct the case when
dst->obsolete < 0.
Good catch Jeff, yes that second bit with the dst->obsolete check
The patch seems to have fixed the customer's Linux-Linux renegotiation problems,
but Linux-Windows doesn't seem to be working correctly still. Going to see if I
can crank up debugging in racoon and get some idea of why it's not occurring.
Essentially, network captures show the ISAKMP messages being sent back and forth
for rekeying, but the sequence number of the packets following that don't get
reset back to 1. I'm presuming this means that the rekeying failed for some reason.
I'm planning to post the patch here soon, so I'll go ahead and grab this from Dave.
committed in stream U5 build 42.28. A test kernel with this patch is available
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
QE ack for 4.5.
Patch is in -52 and the customer has been using a hotfix kernel already for some
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.