Bug 444743 - ipsec auto --replace brings down the tunnel
ipsec auto --replace brings down the tunnel
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Steve Grubb
Depends On:
  Show dependency treegraph
Reported: 2008-04-30 09:42 EDT by Jakub Hrozek
Modified: 2008-09-19 10:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-19 10:29:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2008-04-30 09:42:28 EDT
Description of problem:
If I configure an IPSec tunnel and later use "ipsec auto --replace", the 
tunnel remains down, i.e. I cannot ping the gateways anymore. ipsec 
auto --status still lists the connection and I have to restart the ipsec 
service to bring it back up (ipsec auto --add $conn; ipsec auto --up $conn 
does not work).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure an ipsec tunnel
2. ipsec auto --replace
3. ping the second gateway - not reachable
Additional info:
I can see warning that replacing a policy is not supported with neykey:
000 "west-east" #3: request to replace with shunt a prospective erouted policy 
with netkey kernel --- not yet implemented
000 "west-east": request to delete a unrouted policy with netkey kernel --- 
not yet implemented
But if replacing/deleting isn't implemented, the tunnel should remain up..
Comment 1 RHEL Product and Program Management 2008-06-04 12:33:55 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 2 Tuomo Soini 2008-06-05 03:37:00 EDT
Warning is wrong, ignore it.

ipsec auto --replace will always take tunnel down. --replace is synonym for

ipsec auto --delete conn
ipsec auto --add conn

If you want tunnel back up you should use:

ipsec auto --replace conn && ipsec auto --up conn
Comment 3 Paul Wouters 2008-06-05 13:11:43 EDT
replacing/deleting has two parts. The kernel policies (phase 2 / ipsec SA) and
the userland policies (phase 1 / ISAKMP). The scripts do both, but the warnings
you see are about the kernel component.

Furthermore, openswan-2.6.14 (and its "rc" pre-releases) do have those
operations implemented for netkey, and they now give 'warnings' about being
experimental. (this is all code in programs/pluto/kernel_netlink.c, related to
the kernel_ops functions)

also, in openswan-2.5.x and up, the "--add" operation is equivalent to
"--replace", as it always does a "--delete" plus "--add".
Comment 5 Steve Grubb 2008-09-19 10:06:16 EDT
Does this problem still exist in 2.6.14 and current kernel?
Comment 6 Tuomo Soini 2008-09-19 10:14:30 EDT
See previous comments. This is expected behaviour.
Comment 7 Steve Grubb 2008-09-19 10:29:21 EDT
ok, closing as not a bug. Thanks for the info.

Note You need to log in before you can comment on or make changes to this bug.