Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 350281

Summary: IPSec Packet has no Non-ESP marker
Product: Red Hat Enterprise Linux 5 Reporter: Alain RICHARD <alain.richard>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: low    
Version: 5.0CC: dzickus, herbert.xu, rlerch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 20:25:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alain RICHARD 2007-10-24 11:17:09 UTC 
Description of problem:

We get on one of our vpn server the following error :

Oct 24 08:09:00 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:09:03 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:09:09 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:09:31 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:09:34 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:09:40 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:09:59 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker
Oct 24 08:10:02 cestiavpn pluto[1099]: packet from 86.212.214.22:4500: recvfrom
86.212.214.22:4500 has no Non-ESP marker

and at the same time the vpn tunnel concerned do not work altough it is up and
running (both phases 1 and 2 are ok).

The problem is a well known problem in kernel ipsec that is triggered when using
e1000 driver and ipsec. It has been corrected in 2.6.19 :

,---[http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.19]-
commit 753eab76a3337863a0d86ce045fa4eb6c3cbeef9
Author: Olaf Kirch <okir>
Date:   Wed Nov 22 20:11:42 2006 -0800

    [UDP]: Make udp_encap_rcv use pskb_may_pull
    
    Make udp_encap_rcv use pskb_may_pull
    
    IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset,
    when header split is enabled. When receiving sufficiently large packets, the
    driver puts everything up to and including the UDP header into the header
    portion of the skb, and the rest goes into the paged part. udp_encap_rcv
    forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it
    passes it up it to the IKE daemon.
    
    Signed-off-by: Olaf Kirch <okir>
    Signed-off-by: Jean Delvare <jdelvare>
    Signed-off-by: David S. Miller <davem>


`---

(note that in our case, this is not a notebook, but a Dell 860 with an
additionnal intel ethernet card)

 
Version-Release number of selected component (if applicable):

kernel-2.6.18-8.1.14.el5

How reproducible:

100% reproductible in our environement (RHEL 5 + kernel 2.6.18-8.1.14.el5 +
openswan + a natted tunnel + intel e1000 driver).


Upgrading to the (non RHEL 5 official) Kernel 2.6.20-1.2320.fc5 correct the
problem as a patch to issue that bug was incorporated in 
kernel 2.6.19.

In order to fix ipsec in natted environement (roadwarriors), you need to
backport this fix in the RHEL5 official kernel.
Comment 2 Neil Horman 2007-11-12 16:10:33 UTC 
I've placed a test kernel with the backport of this patch here:
http://people.redhat.com/nhorman
could you please test it out and confirm that it solves the problem in your
environment?  Thanks!
Comment 3 RHEL Program Management 2007-11-13 22:25:07 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 RHEL Program Management 2008-03-11 19:38:28 UTC 
This request was previously evaluated by Red Hat Product Management
for inclusion in the current Red Hat Enterprise Linux release, but
Red Hat was unable to resolve it in time.  This request will be
reviewed for a future Red Hat Enterprise Linux release.
Comment 5 Neil Horman 2008-04-23 19:09:59 UTC 
ping, any update here?
Comment 6 RHEL Program Management 2008-04-23 19:10:55 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Neil Horman 2008-06-18 16:43:05 UTC 
2nd, ping.  If I don't hear from you in the next few weeks on this, I'll assume
that this patch does fix the problem and move forward with integration
Comment 9 Don Zickus 2008-07-23 18:54:27 UTC 
in kernel-2.6.18-99.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 14 errata-xmlrpc 2009-01-20 20:25:15 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html