Description of problem: calls to netkey / xfrm lead to unexpected behaviour. more specific: when strongswan calls XFRM_GET_POLICY to gather information about a current SPD, no valid data is returned and the SPD is instead getting deleted. This leads to loosing an ipsec tunnel when performing "ipsec status" but also to DPD packets destroying a tunnel (as the xfrm_get_policy get's called when a DPD packet arrives). Version-Release number of selected component (if applicable): strongswan 4.1.11, 4.2.6, 4.2.7 How reproducible: very. Steps to Reproduce: compile strongswan, configure tunnel, run ipsec up tunnel. ip xfrm policy shows multiple spds. now run ipsec status or configure DPD and wait for the first DPD event and run ip xfrm policy again, the SPDs are lost. Additional info: a better description is avaible in the strongswan mailing list at https://lists.strongswan.org/pipermail/users/2008-February/002262.html apparently this might be an issue with xfrm.h from 2.6.18 but nailing this down goes over my head :/
we don't support strongswan, can you give openswan a try?
strongswan is just considered to be the more secure and elaborate solution. stuff like ikev2 and mobike is in strongswan but not in openswan, as well as sophisticated pki infrastructure support (like scep, ocsp, crl cache etc..) which is what we like about it (we are using the redhat / dogtag pki which works very well together with strongswan!). also, as far as i can nail it doen, this actually has been working pre 5.2! regards, johannes
Johannes, we need to determine whether this is a bug in Stronswan or the kernel. Could you please strace strongswan when you perform the action that leads to the policies being deleted? Please run strace with -s 4096 so we get the complete netlink messages. This should tell us what netlink commands it issued and hence whether the bug is in the kernel or Strongswan. Thanks!
Created attachment 349106 [details] output from strace -f -s 8096 during ipsec status This is the output of strace -f -o pluto.out -s 8096 ipsec start then after the connection is being brought up with ipsec up testconnection i created the attachment with fail -f pluto.out >> pluto_status.out and issued ipsec status, which then leads to the described behaviour. this is the latest strongswan (4.3.1) as well as the latest kernel (2.6.18-128.1.14.el5). I've set up a test environment for this kind of testing within qemu now, so if you need anything else, please just let me know, i will be able to supply you with that much faster than before. Thanks, Johannes
I'm sorry, that's of course supposed to say "tail -f pluto.out".
OK the strace doesn't show any problems. pluto does getpolicy three times and get valid results each time. Can you run ip xfrm monitor in addition to strace to see if something else is deleting the policies? Thanks!
ip xfrm monitor doesn't show anything when ipsec status is issued. before that, i get a lot of those: Unknown message: 00000096 0x0000001e 0x00000000 Unknown message: 00000096 0x0000001e 0x00000000 Unknown message: 00000096 0x0000001e 0x00000000 but i don't think that's a problem since the ipsec is up and running while i'm getting those. anything else i can do? Johannes
What does ip -s x p say when the policies are present? What does it say immediately after you run ipsec status? Can you try to replicate what pluto is sending by using ip xfrm? For example, does ip xfrm policy get dir in SELECTOR (you'll have to spell this out with your selector) cause the policy to be deleted? If not please strace ip xfrm policy get so I can see what's different between its message and that sent from pluto. Thanks.
Hello Herbert, sorry i wasn't in the lab untill now. However, this confirmed that the error indeed appears not to be in pluto: [root@fw01 ~]# ip xfrm policy get dir out src 192.168.100.0/24 dst 192.168.2.0/24 src 192.168.100.0/24 dst 192.168.2.0/24 dir out priority 2344 tmpl src 192.168.121.187 dst 192.168.121.233 proto esp reqid 16385 mode tunnel [root@fw01 ~]# ip xfrm policy get dir out src 192.168.100.0/24 dst 192.168.2.0/24 RTNETLINK answers: No such file or directory there was absolutely nothing done inbetween, both commands were applied right after each other. Thanks for your help so far. For more info ask as usual :) Regards, Johannes
Hmm, indeed I can reproduce this too on a RHEL5 kernel. Let me investigate.
Created attachment 350249 [details] ipsec: Add missing braces to fix policy querying Braces were missing in the policy querying functions causing the queried policies to be deleted.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in kernel-2.6.18-158.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please do NOT transition this bugzilla state to VERIFIED until our QE team has sent specific instructions indicating when to do so. However feel free to provide a comment indicating that this fix has been verified.
was able to verify the fix in the test kernel :)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1243.html