Bug 444575 - openswan doesn't delete expired SA's
openswan doesn't delete expired SA's
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.2
other All
urgent Severity medium
: rc
: ---
Assigned To: Avesh Agarwal
: OtherQA, ZStream
Depends On:
Blocks: 253764 450334
  Show dependency treegraph
 
Reported: 2008-04-29 06:32 EDT by IBM Bug Proxy
Modified: 2009-09-03 10:06 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 07:18:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix rekeying on initiator (995 bytes, patch)
2008-06-01 02:49 EDT, Herbert Xu
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 44412 None None None Never

  None (edit)
Description IBM Bug Proxy 2008-04-29 06:32:19 EDT
=Comment: #0=================================================
TYLER C. HICKS <tchicks@us.ibm.com> - 2008-04-28 14:41 EDT
---Problem Description---
Expired SA's are not deleted from the SAD.
 
Contact Information = Tyler Hicks <tyhicks@linux.vnet.ibm.com>
 
---uname output---
Linux eal5.ltc.austin.ibm.com 2.6.18-90.el5 #1 SMP Tue Apr 15 18:05:09 EDT 2008
i686 i686 i386 GNU/Linux
Linux tim-hv4.ltc.austin.ibm.com 2.6.18-90.el5 #1 SMP Tue Apr 15 18:06:56 EDT
2008 ppc64 ppc64 ppc64 GNU/Linux
 
Machine Type = eal5: xSeries 335
tim-hv4: eServer OpenPower 720
 
---Debugger---
A debugger is not configured
 
---Steps to Reproduce---
ipsec.conf:
------------------------------------------
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="all"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

conn openswan_i386-openswan_ppc
        left=fc00:0:0:105::22
        right=fc00:0:0:105::23
        ikev2=insist
        authby=secret
        salifetime=30m
        auto=add
------------------------------------------

$> ipsec auto --up openswan_i386-openswan_ppc

I brought up the connection and ran a 4 hour long stress test with the same
ipsec.conf on both machines and had 12 SA's at the end of the test.
 
---Security Component Data---
Userspace tool common name: openswan

The userspace tool has the following bit modes: 32

Userspace rpm: openswan-2.6.12
Comment 1 IBM Bug Proxy 2008-04-30 17:17:19 EDT
------- Comment From tchicks@us.ibm.com 2008-04-30 17:13 EDT-------
Red Hat - Can we get confirmation that a fix for this bug is targeted for the
zstream release?  Thanks!
Comment 2 Herbert Xu 2008-06-01 02:49:15 EDT
Created attachment 307301 [details]
Fix rekeying on initiator

I wasn't able to reproduce this problem.  However, I found that the initiator
wouldn't rekey at all due to a typo.  This is fixed by this patch.

If you're still seeing this behaviour please attach the output of ipsec auto
--status and ip -s x s.  Thanks!
Comment 3 Paul Wouters 2008-06-01 11:20:27 EDT
I'll have a look at it.

Also, please use openswan 2.6.14rc6 for testing anything with netkey policies,
as some changes were made there to address certain policy related matters.
Comment 4 Linda Wang 2008-06-06 13:36:06 EDT
Patch is commited:

commit 2b720e1d781aed18733db29bad978756ec46e0f3
Author: Paul Wouters <paul@xelerance.com>
Date:   Mon Jun 2 14:57:47 2008 -0400
Fix for ikev2 rekey [herbert] - moves .timeout_event = EVENT_SA_REPLACE to
different state.
Comment 6 IBM Bug Proxy 2008-06-19 11:32:58 EDT
------- Comment From tchicks@us.ibm.com 2008-06-19 11:32 EDT-------
I tested rekeying in openswan-2.6.14-1.el5_2.1, between ppc and i386.  Expired
SA's were properly removed from the SAD, so it is working like it should!

Moving to CLOSED on IBM's side.
Comment 9 Chris Ward 2009-06-14 19:15:14 EDT
~~ Attention Partners RHEL 5.4 Partner Alpha Released! ~~

RHEL 5.4 Partner Alpha has been released on partners.redhat.com. There should
be a fix present that addresses this particular request. Please test and report back your results here, at your earliest convenience. Our Public Beta release is just around the corner!

If you encounter any issues, please set the bug back to the ASSIGNED state and
describe the issues you encountered. If you have verified the request functions as expected, please set your Partner ID in the Partner field above to indicate successful test results. Do not flip the bug status to VERIFIED. Further questions can be directed to your Red Hat Partner Manager. Thanks!
Comment 10 Chris Ward 2009-06-14 19:18:12 EDT
Partners, 

This particular request is of a notably high priority. In order to prepare make the most of this Alpha release, please report back initial test results before the scheduled Beta drop. That way if you encounter any issues, we can work to get additional corrections in before we launch our Public Beta release. Speak with your Partner Manager for additional dates and information. Thank you for your cooperation in this effort.
Comment 11 Chris Ward 2009-07-03 11:36:25 EDT
IBM, could I have you please re-test with the Beta bits? In Beta, there have been additional updates to openswan which enable NSS support. Our QE teams would really appreciate that you confirm that no additional regressions have been introduced by this change. Thanks.
Comment 12 Chris Ward 2009-07-03 14:02:34 EDT
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.
Comment 13 IBM Bug Proxy 2009-07-09 18:01:19 EDT
------- Comment From tyhicks@linux.vnet.ibm.com 2009-07-09 17:52 EDT-------
Sorry for the lag - this bug is closed on the IBM side and I wasn't giving any attention.   Unfortunately, it isn't very likely that I'll have the bandwidth to recreate the environment and verify this for 5.4.
Comment 14 Chris Ward 2009-07-10 15:04:42 EDT
~~ Attention Partners - RHEL 5.4 Snapshot 1 Released! ~~

RHEL 5.4 Snapshot 1 has been released on partners.redhat.com. If you have already reported your test results, you can safely ignore this request. Otherwise, please notice that there should be a fix available now that addresses this particular request. Please test and report back your results here, at your earliest convenience. The RHEL 5.4 exception freeze is quickly approaching.

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Do not flip the bug status to VERIFIED. Instead, please set your Partner ID in the Verified field above if you have successfully verified the resolution of this issue. 

Further questions can be directed to your Red Hat Partner Manager or other appropriate customer representative.
Comment 17 errata-xmlrpc 2009-09-02 07:18:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1350.html

Note You need to log in before you can comment on or make changes to this bug.