Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 234491 - LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Summary: LSPP: kernel sends additional ACQUIRES that racoon is not catching.
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Steve Conklin
QA Contact: David Lawrence
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
Reported: 2007-03-29 16:45 UTC by Joy Latten
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version: RHSA-2007-0342
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-06-27 14:17:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Patch to allow racoon to ignore extra ACQUIRES from kernel. (deleted)
2007-04-02 20:56 UTC, Joy Latten
no flags Details | Diff

Description Joy Latten 2007-03-29 16:45:41 UTC
Description of problem:
With the change made to kernel to not drop first ipsec packet,
sometimes kernel sends ACQUIRES while the very IPSec SAs it need
are being established. The IKE daemon needs to be smarter and 
catch this. It needs smarter checks to make sure a negotiation
is not going on for the ACQUIRE it received.  

Version-Release number of selected component (if applicable):

How reproducible:
Happens frequently.

Steps to Reproduce:
1.configure ipsec policy between 2 machines using both AH and ESP
2.start racoon on both
3. do a ping.
4. see if 2 identical SAs created for each SA. (should see 8 instead of 4)
5. if you only see 4 SAs. stop racoon and repeat steps 2 and 3.

Actual results:
Frequently creates 2 of the same SA because another ACQUIRE is
sent while negotiating the first one. 

Expected results:
Raccon should ignore additional ACQUIRES for ongoing SA

Additional info:
Have a patch and will submit to ipsec-tools community.

Comment 1 George C. Wilson 2007-04-02 20:26:32 UTC
Joy has alread submitted a patch to ipsec-tools. Will attach patch to this bug.

Comment 2 Joy Latten 2007-04-02 20:56:34 UTC
Created attachment 151475 [details]
Patch to allow racoon to ignore extra ACQUIRES from kernel.

This patch was sent to the ipsec-tools list but I have not yet had any response
from the list.

Comment 3 Joy Latten 2007-04-02 20:57:32 UTC
Also, above patch was built against ipsec-tools cvs tree.

Comment 5 George C. Wilson 2007-04-09 20:16:29 UTC
sgrubb: Got OK to build.

Comment 6 George C. Wilson 2007-04-10 15:35:17 UTC
Joy, this needs to be backported to RHEL5.

Comment 7 Steve Grubb 2007-04-10 20:39:35 UTC
ipsec-tools-0.6.5-6.3 was built to address this issue.

Comment 8 George C. Wilson 2007-04-11 23:47:38 UTC
Joy, can you verify that this is fixed in a build? Thanks.

Comment 9 Joy Latten 2007-04-12 21:26:34 UTC
I just tested this and it appears to be working well. Did not see any duplicate

Comment 10 Issue Tracker 2007-06-27 17:31:00 UTC
Closing issue per last update.
Thank You
Joe Kachuck

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.1'

This event sent from IssueTracker by jkachuck 
 issue 117513

Note You need to log in before you can comment on or make changes to this bug.