Red Hat Bugzilla – Bug 273261
using ipsec-tools for remote-access client connection to Cisco ASA
Last modified: 2008-11-06 21:58:19 EST
Description of problem:
Several bugs in latest ipsec-tools-0.7 prevent successful use as
a remote-access (road-warrior) client to a Cisco ASA 5500 vpn concentrator.
Attached are three patches which were also submitted to the upstream mailing
list which fix this problem.
Also attached are some packaging improvements: a phase1 mode config script,
an init script for the racoon daemon, and patches for the spec file to
incorporate the above mentioned patches and scripts.
Version-Release number of selected component (if applicable):
Attempt to connect to a Cisco ASA in remote-access client mode with racoon.
Steps to Reproduce:
1. Configure racoon to connect to a Cisco ASA as suggested in the enclosed
2. Start racoon daemon
3. run 'racoonctl vc <IP-of-Cisco-ASA>
vpn session fails to be established
successfully establish a vpn session
uploading tarball with the following content:
ipsec-tools.spec.diff changes to spec file
racoon.conf.diff changes to included config.file
ipsec-tools-0.7-cvs-dupmode.patch patch to handle dupe mode config packets
ipsec-tools-0.7-cvs-dupsplit.patch patch to handle dupe split networks
ipsec-tools-0.7-cvs-iface.patch patch to set SO_REUSEADDR on sockets
p1_up_down phase1 mode config script
racoon.init init script for racoon daemon
Created attachment 184001 [details]
contents of file described in 'additional info' section of original report
Everything except the dupmode patch has been put into rawhide. The dupmode patch
wasn't accepted by upstream, but the others were.
This bz is now just for the dupmode patch, the others have been added. I'm going
to set this as needinfo from the reporter, and when upstream has resolved the
patch, please set it back to me.
Turns out the dupmode patch is unnecessary. We can work around that problem
by simply having the phase1_up script check for a previous execution (i.e.,
whether the private VPN address has already been configured on the default
I'm uploading a new version of the p1_up_down script which contains this check.
The ipsec-tools maintainers also took issue with the ipcalc-based conversion of
dotted-quad netmask into CIDR notation, and a patch (also uploaded) was applied
to CVS which supplies the phase1 script with a list of split networks directly
in CIDR notation.
Created attachment 232941 [details]
fixed roadwarrior phase1 script
new script now checks for an already completed previous phase1_up execution
also eliminated conversion from dotted quad netmask to cidr notation as
that functionality is being directly offered by racoon
Created attachment 232951 [details]
offer list of split networks in CIDR notation to phase1 scripts
this is already in CVS, and is also required by fixed phase1 p1_up_down script
I'm sorry, I meant to get this change in with otehr recent patches. It's in
rawhide now, as after that's tested a bit I'll put it in F-8 also.
ipsec-tools-0.7-8.fc8 has been submitted as an update for Fedora 8
ipsec-tools-0.7-8.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update ipsec-tools'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2661
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
ipsec-tools-0.7.1-5.fc8 has been submitted as an update for Fedora 8.
ipsec-tools-0.7.1-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.