Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 234491 - LSPP: kernel sends additional ACQUIRES that racoon is not catching.
LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Conklin
David Lawrence
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
Reported: 2007-03-29 12:45 EDT by Joy Latten
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version: RHSA-2007-0342
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-27 10:17:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to allow racoon to ignore extra ACQUIRES from kernel. (3.73 KB, patch)
2007-04-02 16:56 EDT, Joy Latten
no flags Details | Diff

  None (edit)
Description Joy Latten 2007-03-29 12:45:41 EDT
Description of problem:
With the change made to kernel to not drop first ipsec packet,
sometimes kernel sends ACQUIRES while the very IPSec SAs it need
are being established. The IKE daemon needs to be smarter and 
catch this. It needs smarter checks to make sure a negotiation
is not going on for the ACQUIRE it received.  

Version-Release number of selected component (if applicable):

How reproducible:
Happens frequently.

Steps to Reproduce:
1.configure ipsec policy between 2 machines using both AH and ESP
2.start racoon on both
3. do a ping.
4. see if 2 identical SAs created for each SA. (should see 8 instead of 4)
5. if you only see 4 SAs. stop racoon and repeat steps 2 and 3.

Actual results:
Frequently creates 2 of the same SA because another ACQUIRE is
sent while negotiating the first one. 

Expected results:
Raccon should ignore additional ACQUIRES for ongoing SA

Additional info:
Have a patch and will submit to ipsec-tools community.
Comment 1 George C. Wilson 2007-04-02 16:26:32 EDT
Joy has alread submitted a patch to ipsec-tools. Will attach patch to this bug.
Comment 2 Joy Latten 2007-04-02 16:56:34 EDT
Created attachment 151475 [details]
Patch to allow racoon to ignore extra ACQUIRES from kernel.

This patch was sent to the ipsec-tools list but I have not yet had any response
from the list.
Comment 3 Joy Latten 2007-04-02 16:57:32 EDT
Also, above patch was built against ipsec-tools cvs tree.
Comment 5 George C. Wilson 2007-04-09 16:16:29 EDT
sgrubb: Got OK to build.
Comment 6 George C. Wilson 2007-04-10 11:35:17 EDT
Joy, this needs to be backported to RHEL5.
Comment 7 Steve Grubb 2007-04-10 16:39:35 EDT
ipsec-tools-0.6.5-6.3 was built to address this issue.
Comment 8 George C. Wilson 2007-04-11 19:47:38 EDT
Joy, can you verify that this is fixed in a build? Thanks.
Comment 9 Joy Latten 2007-04-12 17:26:34 EDT
I just tested this and it appears to be working well. Did not see any duplicate
Comment 10 Issue Tracker 2007-06-27 13:31:00 EDT
Closing issue per last update.
Thank You
Joe Kachuck

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'

This event sent from IssueTracker by jkachuck 
 issue 117513

Note You need to log in before you can comment on or make changes to this bug.