Description of problem: Several bugs in latest ipsec-tools-0.7 prevent successful use as a remote-access (road-warrior) client to a Cisco ASA 5500 vpn concentrator. Attached are three patches which were also submitted to the upstream mailing list which fix this problem. Also attached are some packaging improvements: a phase1 mode config script, an init script for the racoon daemon, and patches for the spec file to incorporate the above mentioned patches and scripts. Version-Release number of selected component (if applicable): 0.7 How reproducible: Attempt to connect to a Cisco ASA in remote-access client mode with racoon. Steps to Reproduce: 1. Configure racoon to connect to a Cisco ASA as suggested in the enclosed racoon.conf example. 2. Start racoon daemon 3. run 'racoonctl vc <IP-of-Cisco-ASA> Actual results: vpn session fails to be established Expected results: successfully establish a vpn session Additional info: uploading tarball with the following content: ipsec-tools.spec.diff changes to spec file racoon.conf.diff changes to included config.file ipsec-tools-0.7-cvs-dupmode.patch patch to handle dupe mode config packets ipsec-tools-0.7-cvs-dupsplit.patch patch to handle dupe split networks ipsec-tools-0.7-cvs-iface.patch patch to set SO_REUSEADDR on sockets p1_up_down phase1 mode config script racoon.init init script for racoon daemon
Created attachment 184001 [details] contents of file described in 'additional info' section of original report
Everything except the dupmode patch has been put into rawhide. The dupmode patch wasn't accepted by upstream, but the others were.
This bz is now just for the dupmode patch, the others have been added. I'm going to set this as needinfo from the reporter, and when upstream has resolved the patch, please set it back to me. Thanks.
Turns out the dupmode patch is unnecessary. We can work around that problem by simply having the phase1_up script check for a previous execution (i.e., whether the private VPN address has already been configured on the default network interface). I'm uploading a new version of the p1_up_down script which contains this check. The ipsec-tools maintainers also took issue with the ipcalc-based conversion of dotted-quad netmask into CIDR notation, and a patch (also uploaded) was applied to CVS which supplies the phase1 script with a list of split networks directly in CIDR notation.
Created attachment 232941 [details] fixed roadwarrior phase1 script new script now checks for an already completed previous phase1_up execution also eliminated conversion from dotted quad netmask to cidr notation as that functionality is being directly offered by racoon
Created attachment 232951 [details] offer list of split networks in CIDR notation to phase1 scripts this is already in CVS, and is also required by fixed phase1 p1_up_down script
I'm sorry, I meant to get this change in with otehr recent patches. It's in rawhide now, as after that's tested a bit I'll put it in F-8 also.
ipsec-tools-0.7-8.fc8 has been submitted as an update for Fedora 8
ipsec-tools-0.7-8.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ipsec-tools'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2661
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
ipsec-tools-0.7.1-5.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-5.fc8
ipsec-tools-0.7.1-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.