Bug 470575 - ipsec-tools 0.7.1 not establish sa
ipsec-tools 0.7.1 not establish sa
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: ipsec-tools (Show other bugs)
9
i386 Linux
medium Severity urgent
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
: 470738 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-07 13:59 EST by Alexandre Thieme Reis
Modified: 2009-12-14 09:56 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-11 21:52:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
My configuration files. prefixed with gw: gateway configuration, prefixed with client:client configuration (989 bytes, application/x-download)
2008-11-07 13:59 EST, Alexandre Thieme Reis
no flags Details
client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F) (39.68 KB, application/octet-stream)
2008-11-07 16:36 EST, Alexandre Thieme Reis
no flags Details
client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F) (39.68 KB, application/x-download)
2008-11-07 16:54 EST, Alexandre Thieme Reis
no flags Details

  None (edit)
Description Alexandre Thieme Reis 2008-11-07 13:59:54 EST
Created attachment 322883 [details]
My configuration files. prefixed with gw: gateway configuration, prefixed with client:client configuration

Description: ipsec-tools 0.7.1 do not more establish sa. I have a gaetway with a interface connected with a wireless router. My wireless laptop (with kubuntu 8.10 and ipsec-tools 0.7) are connected with the gateway with ipsec tunnel. After upgrade to ipsec 0.7.1 no connection are made. I downgrade to ipsec-tools 0.7 and work fine.


Version-Release number of selected component (if applicable): 0.7.1


How reproducible: ever


Steps to Reproduce:
1. upgrade to ipsec-tools 0.7.1
2. start setkey
3. start racoon
  
Actual results: no tunnel established


Expected results: tunnel established

Additional info: Output (/var/log/messages) on the gateway:

Nov  7 16:20:00 tango racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)                                 
Nov  7 16:20:00 tango racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)             
Nov  7 16:20:00 tango racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"                                     
Nov  7 16:20:00 tango racoon: INFO: Resize address pool from 0 to 255                                                        
Nov  7 16:20:00 tango racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)                                               
Nov  7 16:20:00 tango racoon: INFO: 127.0.0.1[500] used for NAT-T                                                            
Nov  7 16:20:00 tango racoon: INFO: 192.168.1.254[500] used as isakmp port (fd=17)                                           
Nov  7 16:20:00 tango racoon: INFO: 192.168.1.254[500] used for NAT-T                                                        
Nov  7 16:20:00 tango racoon: INFO: 192.168.2.254[500] used as isakmp port (fd=18)                                           
Nov  7 16:20:00 tango racoon: INFO: 192.168.2.254[500] used for NAT-T                                                        
Nov  7 16:20:00 tango racoon: INFO: 10.1.1.254[500] used as isakmp port (fd=19)                                              
Nov  7 16:20:00 tango racoon: INFO: 10.1.1.254[500] used for NAT-T                                                           
Nov  7 16:20:00 tango racoon: INFO: ::1[500] used as isakmp port (fd=20)
Nov  7 16:20:00 tango racoon: INFO: fe80::2e0:7dff:fe89:544a%eth3[500] used as isakmp port (fd=21)
Nov  7 16:20:00 tango racoon: INFO: fe80::208:54ff:feb0:a674%eth0[500] used as isakmp port (fd=22)
Nov  7 16:25:00 tango racoon: ERROR: libipsec failed pfkey check (Invalid SA type)
Nov  7 16:25:00 tango racoon: ERROR: libipsec failed pfkey check (Invalid SA type)
Nov  7 16:25:00 tango racoon: INFO: unsupported PF_KEY message REGISTER


In Client side it's all ok (/var/log/syslog)

Nov  7 16:25:58 valsa racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
Nov  7 16:25:58 valsa racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
Nov  7 16:25:58 valsa racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Nov  7 16:25:58 valsa racoon: INFO: Resize address pool from 0 to 255
Nov  7 16:25:58 valsa racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Nov  7 16:25:58 valsa racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov  7 16:25:58 valsa racoon: INFO: 192.168.2.100[500] used as isakmp port (fd=13)
Nov  7 16:25:58 valsa racoon: INFO: 192.168.2.100[500] used for NAT-T
Nov  7 16:25:58 valsa racoon: INFO: ::1[500] used as isakmp port (fd=23)
Nov  7 16:25:58 valsa racoon: INFO: fe80::20d:f0ff:fe17:1ced%wlan0[500] used as isakmp port (fd=24)
Nov  7 16:26:03 valsa racoon: INFO: IPsec-SA request for 192.168.2.254 queued due to no phase1 found.
Nov  7 16:26:03 valsa racoon: INFO: initiate new phase 1 negotiation: 192.168.2.100[500]<=>192.168.2.254[500]
Nov  7 16:26:03 valsa racoon: INFO: begin Identity Protection mode.
Nov  7 16:26:03 valsa racoon: INFO: received Vendor ID: DPD
Nov  7 16:26:03 valsa racoon: INFO: ISAKMP-SA established 192.168.2.100[500]-192.168.2.254[500] spi:176a0c583d87bbc5:9a4ee8736fd28ee7
Nov  7 16:26:04 valsa racoon: INFO: initiate new phase 2 negotiation: 192.168.2.100[500]<=>192.168.2.254[500]
Nov  7 16:26:04 valsa racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.2.254[0]->192.168.2.100[0] spi=260814603(0xf8bb70b)
Nov  7 16:26:04 valsa racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.2.100[500]->192.168.2.254[500] spi=25536301(0x185a72d)

PS: Excuse my poor english!!!
Comment 1 Tomas Mraz 2008-11-07 15:06:45 EST
The client side as of the second log is running 0.7.1 or 0.7 version?

Can you please try to run the gateway with log level debug2 and attach or paste the output?
Comment 2 Alexandre Thieme Reis 2008-11-07 15:22:48 EST
Client side run ipsec-tools version 0.7
Comment 3 Alexandre Thieme Reis 2008-11-07 16:36:56 EST
Created attachment 322901 [details]
client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
Comment 4 Alexandre Thieme Reis 2008-11-07 16:54:35 EST
Created attachment 322904 [details]
 client-racoon.log (tail -f /var/log/syslog), client-racoon-debug.log (racoon -d -F), gw-racoon.log (tail -f /var/log/messages), gw-racoon-debug.log (racoon -d -F)
Comment 5 Alexandre Thieme Reis 2008-11-07 16:55:26 EST
The racoon.log is racoon.tgz, excuse me!
Comment 6 Alexandre Thieme Reis 2008-11-07 19:32:53 EST
If client is ipsec-tools version 0.7.1, also do not work!
Comment 7 Alexandre Thieme Reis 2008-11-07 20:05:48 EST
I download ipsec-tools veriosn 0.7.1 from sourceforge ,recompile without patch and racoon work fine!!!
Comment 8 Bojan Smojver 2008-11-08 00:16:07 EST
Ditto here folks. An IPSec tunnel that worked with old ipsec-tools doesn't come up any more:
------------------------------------
Nov  8 15:29:57 beauty racoon: INFO: initiate new phase 2 negotiation: <to_IP>[500]<=><from_IP>[500]
Nov  8 15:29:57 beauty racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Nov  8 15:29:57 beauty racoon: WARNING: attribute has been modified.
Nov  8 15:29:57 beauty racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Nov  8 15:29:57 beauty racoon: ERROR: pfkey add failed.
Nov  8 15:29:57 beauty racoon: ERROR: failed to process packet.
Nov  8 15:29:57 beauty racoon: ERROR: phase2 negotiation failed.
Nov  8 15:30:26 beauty racoon: INFO: initiate new phase 2 negotiation: <to_IP>[500]<=><from_IP>[500]
Nov  8 15:30:26 beauty racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Nov  8 15:30:26 beauty racoon: WARNING: attribute has been modified.
Nov  8 15:30:26 beauty racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Nov  8 15:30:26 beauty racoon: ERROR: pfkey add failed.
Nov  8 15:30:26 beauty racoon: ERROR: failed to process packet.
Nov  8 15:30:26 beauty racoon: ERROR: phase2 negotiation failed.
------------------------------------

Reverting back to the old version of ipsec-tools RPM immediately fixes the problem.
Comment 9 Bojan Smojver 2008-11-08 01:39:56 EST
Regarding comment #8, I'm connecting to a PIX there.
Comment 10 Tomas Mraz 2008-11-10 05:39:23 EST
*** Bug 470738 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2008-11-10 07:52:27 EST
ipsec-tools-0.7.1-6.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-6.fc9
Comment 12 Need Real Name 2008-11-10 10:43:24 EST
The ipsec-tools-0.7.1-6.fc9.x86_64.rpm 
works for me.
Comment 13 Bojan Smojver 2008-11-10 15:16:11 EST
ipsec-tools-0.7.1-6.fc9.i386 works here. Thanks you.
Comment 14 Bojan Smojver 2008-11-10 16:09:08 EST
Just gave it +1 karma in bodhi.
Comment 15 Fedora Update System 2008-11-11 21:52:39 EST
ipsec-tools-0.7.1-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Alexandre Thieme Reis 2008-11-12 07:35:42 EST
Thank you, ipsec-tools now work fine!!!

Note You need to log in before you can comment on or make changes to this bug.