[Bug 867055] New: ipsec-tools not working in specific setup

older
[Bug 856625] New: systemd fails to...

bugzilla_noreply＠novell.com

6 Mar 2014 6 Mar '14

06:43

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c0 Summary: ipsec-tools not working in specific setup Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: jbohac@suse.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: mt@suse.com Found By: --- Blocker: --- customer report via security@suse.de Date: Thu, 06 Mar 2014 15:07:41 +1100 Subject: [security@suse.de] [DOS][openSuSE13.1] ipsec-tools-0.7.3-29.2.2 Hi, I have found an issue that causes IPSEC to fail in unexpected ways. This was discovered in the process of upgrading some router/firewalls from openSuSE 12.1 to openSuSE 13.1. It was found that simple IPSEC setups do indeed work, but the more complicated setup in use here fails. Impact: The following scenario *DOES* work with the RPM as supplied network -- router/fw == ipsec tunnel == router/fw -- network The following scenario *FAILS* to work with the RPM as supplied network -- router -- network -- router/fw == ipsec tunnel == router/fw -- network -- router -- network Reason: In the SPD no forward rules are installed. Workaround: 1. install ipsec-tools-0.7.3-19.1.3 (from openSuSE 12.1) - all others between openSuSE 12.1 and openSuSE 13.1 are similarly broken. alternatively 2. recompile ipsec-tools-0.7.3-29.2.2.src.rpm on a machine with openSuSE 12.1 build environment. If you have any further queries, please do not hesitate to contact me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

6 Mar 6 Mar

21:39

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c1 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Jiri Bohac 2014-03-06 22:39:21 CET --- It's most likely caused by an error during build, where ./configure does not detect it's running on linux and does not configure HAVE_POLICY_FWD. setkey then does not support the -r and -k options and does not turn on the RFC compatibility mode by default, thus not duplicating "in" policies as "fwd" policies. Tom Burkart, the original reporter: Can you please try with a fixed package from https://build.opensuse.org/package/binaries/home:jbohac:branches:openSUSE:13... ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21:44

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c2 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andreas.mueller@hsr.ch --- Comment #2 from Jiri Bohac 2014-03-06 22:44:09 CET --- *** Bug 840818 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=840818 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10 Mar 10 Mar

03:55

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c3 Tom Burkart changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse@aussec.com --- Comment #3 from Tom Burkart 2014-03-10 03:55:50 UTC --- (In reply to comment #1) Short answer: now no policies are loaded at all (only defaults) Will do more testing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Mar 11 Mar

09:13

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c4 --- Comment #4 from Tom Burkart 2014-03-11 09:13:22 UTC --- SPD policies will load if setkey is run manually with "setkey -f /etc/racoon/setkey.conf". After a reboot the policies are only the default ones (racoon is running). I have recompiled your SRPM (on a 13.1 build system) here and have the same issue. It does not seem to matter that ipsec.h is not found as I have recompiled either way and found the same issue. After a lot of experimenting, my setup with my recompiled ipsec-tools-0.7.3-29.2.2 (12.1 build system) is now also broken. Don't know why but it shows no policies. I have gone back to ipsec-tools-0.7.3-19.1.3 (so I have a working system). I also noticed that 19.1.3 has a {/var}/run/racoon directory, whereas this is gone in 29.4.1 which also broke my config. When using ipsec-tools-0.7.3-29.4.1.i586.rpm: If I disable the service and then manually start setkey (systemctl start racoon-setkey.service) and finally racoon.service - then it works as it should. I am starting to think that there is a systemd interaction that is now causing problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:56

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c5 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |suse@aussec.com --- Comment #5 from Jiri Bohac 2014-03-11 15:56:56 CET --- Perhaps the old version of ipsec-tools left over its init file in /etc/init.d/racoon that now interferes with the service files provided by systemd? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Mar 12 Mar

07:25

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c6 Tom Burkart changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|suse@aussec.com | --- Comment #6 from Tom Burkart 2014-03-12 07:25:33 UTC --- There are no stray system V init files and all the systemd init files look fine to me. For some reason when systemd runs the "setkey -f /etc/racoon/setkey.conf" it does not seem to work, yet when it is run on the command line, it does work. The end result is that the r29.4.1 RPM does its job once setkey is started properly. BTW, when I was mentioning the /var/run/racoon directory in 29.4.1, I was not aware of the /usr/lib/tmpfiles.d setup, which for some reason did not work at the time but now does. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:00

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c7 --- Comment #7 from Bernhard Wiedemann 2014-03-12 15:00:23 CET --- This is an autogenerated message for OBS integration: This bug (867055) was mentioned in https://build.opensuse.org/request/show/225695 Factory / ipsec-tools -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Mar 13 Mar

07:08

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c9 --- Comment #9 from Tom Burkart 2014-03-13 07:08:48 UTC --- I have written a bash shim that was logging what happens with setkey. The secret is that as soon as setkey properly finishes (ie fully loads all policies), systemd is calling the ExecStop function which is also evident from the systemd status output below. The machine had been freshly rebooted so PIDs should still be monotonic increasing. fw1:~ # systemctl status racoon-setkey.service racoon-setkey.service - Racoon IPSEC policies Loaded: loaded (/usr/lib/systemd/system/racoon-setkey.service; enabled) Active: inactive (dead) since Thu 2014-03-13 17:30:42 EST; 5min ago Process: 2412 ExecStop=/usr/sbin/setkey $SETKEY_FLUSH_OPTIONS (code=exited, status=0/SUCCESS) Process: 1892 ExecStart=/usr/sbin/setkey $SETKEY_OPTIONS -f /etc/racoon/setkey.conf (code=exited, status=0/SUCCESS) Main PID: 1892 (code=exited, status=0/SUCCESS) CGroup: /system.slice/racoon-setkey.service Mar 13 17:30:42 fw1 systemd[1]: Started Racoon IPSEC policies. Systemd configuration fix: --- /usr/lib/systemd/system/racoon-setkey.service 2014-03-12 18:00:41.000000000 +1100 +++ /etc/systemd/system/racoon-setkey.service 2014-03-13 18:01:54.480678146 +1100 @@ -6,6 +6,7 @@ [Service] Type=oneshot +RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/racoon ExecStart=/usr/sbin/setkey $SETKEY_OPTIONS -f /etc/racoon/setkey.conf ExecStop=/usr/sbin/setkey $SETKEY_FLUSH_OPTIONS -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:00

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c10 --- Comment #10 from Bernhard Wiedemann 2014-03-13 11:00:38 CET --- This is an autogenerated message for OBS integration: This bug (867055) was mentioned in https://build.opensuse.org/request/show/225783 13.1 / ipsec-tools https://build.opensuse.org/request/show/225787 13.1 / ipsec-tools -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:01

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c11 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #11 from Jiri Bohac 2014-03-13 11:01:07 CET --- Great, thanks for debugging this. This second problem has also been reported as bnc#856625. Fixed packages now in http://download.opensuse.org/repositories/home:/jbohac:/branches:/openSUSE:/... Created maintenance request 225787. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:05

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c12 --- Comment #12 from Jiri Bohac 2014-03-13 11:05:41 CET --- maintenance request for openSUSE12.3: 225790 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:00

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c13 --- Comment #13 from Bernhard Wiedemann 2014-03-13 12:00:15 CET --- This is an autogenerated message for OBS integration: This bug (867055) was mentioned in https://build.opensuse.org/request/show/225789 12.3 / ipsec-tools https://build.opensuse.org/request/show/225790 12.3 / ipsec-tools -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:00

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c14 Tom Burkart changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|maintenance@opensuse.org | --- Comment #14 from Tom Burkart 2014-03-13 12:00:30 UTC --- (In reply to comment #11)

...

bnc#856625. Fixed packages now in r29.5.1 works correctly here (BTW, using i586 or rather i686 machines here as fw's)

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

20 Mar 20 Mar

09:02

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c15 --- Comment #15 from Bernhard Wiedemann 2014-03-20 10:02:28 CET --- This is an autogenerated message for OBS integration: This bug (867055) was mentioned in https://build.opensuse.org/request/show/226831 Factory / ipsec-tools -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:04

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c16 --- Comment #16 from Swamp Workflow Management 2014-03-20 10:04:34 UTC --- openSUSE-RU-2014:0407-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 867055 CVE References: Sources used: openSUSE 12.3 (src): ipsec-tools-0.7.3-26.5.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:05

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c17 --- Comment #17 from Swamp Workflow Management 2014-03-20 10:05:12 UTC --- openSUSE-RU-2014:0409-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 856625,867055 CVE References: Sources used: openSUSE 13.1 (src): ipsec-tools-0.7.3-29.5.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:04

New subject: [Bug 867055] ipsec-tools not working in specific setup

https://bugzilla.novell.com/show_bug.cgi?id=867055 https://bugzilla.novell.com/show_bug.cgi?id=867055#c18 Jiri Bohac changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #18 from Jiri Bohac 2014-03-20 12:04:33 CET --- Ok, fixed, thanks everyone. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

3696

Age (days ago)

3710

Last active (days ago)

List overview

Download

17 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 867055] New: ipsec-tools not working in specific setup

tags

participants (1)