Red Hat Bugzilla – Bug 234491
LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Last modified: 2007-11-30 17:07:43 EST
Description of problem:
With the change made to kernel to not drop first ipsec packet,
sometimes kernel sends ACQUIRES while the very IPSec SAs it need
are being established. The IKE daemon needs to be smarter and
catch this. It needs smarter checks to make sure a negotiation
is not going on for the ACQUIRE it received.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.configure ipsec policy between 2 machines using both AH and ESP
2.start racoon on both
3. do a ping.
4. see if 2 identical SAs created for each SA. (should see 8 instead of 4)
5. if you only see 4 SAs. stop racoon and repeat steps 2 and 3.
Frequently creates 2 of the same SA because another ACQUIRE is
sent while negotiating the first one.
Raccon should ignore additional ACQUIRES for ongoing SA
Have a patch and will submit to ipsec-tools community.
Joy has alread submitted a patch to ipsec-tools. Will attach patch to this bug.
Created attachment 151475 [details]
Patch to allow racoon to ignore extra ACQUIRES from kernel.
This patch was sent to the ipsec-tools list but I have not yet had any response
from the list.
Also, above patch was built against ipsec-tools cvs tree.
sgrubb: Got OK to build.
Joy, this needs to be backported to RHEL5.
ipsec-tools-0.6.5-6.3 was built to address this issue.
Joy, can you verify that this is fixed in a build? Thanks.
I just tested this and it appears to be working well. Did not see any duplicate
Closing issue per last update.
Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'
This event sent from IssueTracker by jkachuck