Bug 234491 - LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Summary: LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Steve Conklin
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2007-03-29 16:45 UTC by Joy Latten
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RHSA-2007-0342
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-27 14:17:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to allow racoon to ignore extra ACQUIRES from kernel. (3.73 KB, patch)
2007-04-02 20:56 UTC, Joy Latten
no flags Details | Diff

Description Joy Latten 2007-03-29 16:45:41 UTC
Description of problem:
With the change made to kernel to not drop first ipsec packet,
sometimes kernel sends ACQUIRES while the very IPSec SAs it need
are being established. The IKE daemon needs to be smarter and 
catch this. It needs smarter checks to make sure a negotiation
is not going on for the ACQUIRE it received.  

Version-Release number of selected component (if applicable):
ipsec-tools-0.6.5-2

How reproducible:
Happens frequently.

Steps to Reproduce:
1.configure ipsec policy between 2 machines using both AH and ESP
2.start racoon on both
3. do a ping.
4. see if 2 identical SAs created for each SA. (should see 8 instead of 4)
5. if you only see 4 SAs. stop racoon and repeat steps 2 and 3.

Actual results:
Frequently creates 2 of the same SA because another ACQUIRE is
sent while negotiating the first one. 


Expected results:
Raccon should ignore additional ACQUIRES for ongoing SA
negotiations.

Additional info:
Have a patch and will submit to ipsec-tools community.

Comment 1 George C. Wilson 2007-04-02 20:26:32 UTC
Joy has alread submitted a patch to ipsec-tools. Will attach patch to this bug.

Comment 2 Joy Latten 2007-04-02 20:56:34 UTC
Created attachment 151475 [details]
Patch to allow racoon to ignore extra ACQUIRES from kernel.

This patch was sent to the ipsec-tools list but I have not yet had any response
from the list.

Comment 3 Joy Latten 2007-04-02 20:57:32 UTC
Also, above patch was built against ipsec-tools cvs tree.

Comment 5 George C. Wilson 2007-04-09 20:16:29 UTC
sgrubb: Got OK to build.

Comment 6 George C. Wilson 2007-04-10 15:35:17 UTC
Joy, this needs to be backported to RHEL5.

Comment 7 Steve Grubb 2007-04-10 20:39:35 UTC
ipsec-tools-0.6.5-6.3 was built to address this issue.

Comment 8 George C. Wilson 2007-04-11 23:47:38 UTC
Joy, can you verify that this is fixed in a build? Thanks.

Comment 9 Joy Latten 2007-04-12 21:26:34 UTC
I just tested this and it appears to be working well. Did not see any duplicate
SAs. 

Comment 10 Issue Tracker 2007-06-27 17:31:00 UTC
Hello,
Closing issue per last update.
Thank You
Joe Kachuck

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'

This event sent from IssueTracker by jkachuck 
 issue 117513


Note You need to log in before you can comment on or make changes to this bug.