https://bugzilla.novell.com/show_bug.cgi?id=339674#c1 Thomas Biege changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de, jbohac@novell.com AssignedTo|security-team@suse.de |jshi@novell.com --- Comment #1 from Thomas Biege 2007-11-06 23:28:56 MST --- reassigning to maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674#c3 --- Comment #3 from Li Bin 2007-11-20 22:05:51 MST --- Created an attachment (id=184154) --> (https://bugzilla.novell.com/attachment.cgi?id=184154) script for trouble shooting Hi, David. Would mind run our troubleshooting script in your environment, then send back the tar file to us for getting more information about this bug. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 Li Bin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |david.mattes@boeing.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674#c6 David Mattes changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|david.mattes@boeing.com | --- Comment #6 from David Mattes 2007-11-26 08:56:42 MST --- After applying the patch, racoon does not crash and the VPN tunnel is established. However, my patch just avoids the problem, it does not fix it. I believe the problem must be in the nortel plugin code, because that is where that attribute is handled. Finally (as expected), when I use the above patch, I don't get any of the split tunnel routes loaded into my routing table except for my local subnet. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674#c8 David Mattes changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|david.mattes@boeing.com | --- Comment #8 from David Mattes 2007-11-27 10:28:25 MST --- Here you go. The racoon binary shipped in novell-ipsec-tools-0.6.3-26.14 is stripped. I can rebuild it with debugging symbols if you need me to. A3945578!mattes# gdb /usr/sbin/racoon -c core GNU gdb 6.6 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-suse-linux"... (no debugging symbols found) Using host libthread_db library "/lib64/libthread_db.so.1". Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libcrypt.so.1... (no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2... (no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /usr/lib/turnpike/plugins/libnortel.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib/turnpike/plugins/libnortel.so Core was generated by `racoon -F -f /etc/racoon/racoon.conf'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000000010 in ?? () (gdb) bt #0 0x0000000000000010 in ?? () #1 0x0000000000007090 in ?? () #2 0x0000000000000010 in ?? () #3 0x0000000000007190 in ?? () #4 0x0000000000000010 in ?? () #5 0x0000000000007390 in ?? () #6 0x0000000000000010 in ?? () #7 0x0000000000007590 in ?? () #8 0x0000000000000010 in ?? () #9 0x0000000000007cc0 in ?? () #10 0x0000000000000010 in ?? () #11 0x000000000000a1c0 in ?? () #12 0x0000000000000010 in ?? () #13 0x00000000002c21c0 in ?? () #14 0x0000000000000017 in ?? () #15 0x00000000003021c0 in ?? () #16 0x0000000000000018 in ?? () #17 0x00000000003121c0 in ?? () #18 0x0000000000000018 in ?? () #19 0x00000000003221c0 in ?? () #20 0x0000000000000018 in ?? () #21 0x00000000003421c0 in ?? () #22 0x0000000000000016 in ?? () #23 0x00000000003821c0 in ?? () #24 0x0000000000000015 in ?? () #25 0x00000000003d21c0 in ?? () #26 0x0000000000000018 in ?? () #27 0x00000000003e21c0 in ?? () #28 0x0000000000000018 in ?? () #29 0x00000000004021c0 in ?? () #30 0x0000000000000013 in ?? () #31 0x0000000000002ac0 in ?? () #32 0x0000000000000010 in ?? () #33 0x00000000000030c0 in ?? () #34 0x0000000000000014 in ?? () #35 0x00000000001030c0 in ?? () #36 0x0000000000000016 in ?? () ---Type <return> to continue, or q <return> to quit--- #37 0x00000000001430c0 in ?? () #38 0x0000000000000018 in ?? () #39 0x00000000001530c0 in ?? () #40 0x0000000000000018 in ?? () #41 0x00000000001830c0 in ?? () #42 0x0000000000000015 in ?? () #43 0x00000000000036c0 in ?? () #44 0x0000000000000014 in ?? () #45 0x00000000008036c0 in ?? () #46 0x0000000000000011 in ?? () #47 0x00000000001036c0 in ?? () #48 0x0000000000000015 in ?? () #49 0x00000000001836c0 in ?? () #50 0x0000000000000016 in ?? () #51 0x00000000001c36c0 in ?? () #52 0x0000000000000017 in ?? () #53 0x00000000001f36c0 in ?? () #54 0x0000000000000018 in ?? () #55 0x00000000002036c0 in ?? () #56 0x0000000000000013 in ?? () #57 0x00000000004036c0 in ?? () #58 0x0000000000000012 in ?? () #59 0x00000000000041c0 in ?? () #60 0x0000000000000010 in ?? () #61 0x0000000000004cc0 in ?? () #62 0x0000000000000010 in ?? () #63 0x00000000000b4fc0 in ?? () #64 0x0000000000000018 in ?? () #65 0x00000000001021c7 in ?? () #66 0x0000000000000015 in ?? () #67 0x0000000000ffafcd in ?? () #68 0x0000000000000018 in ?? () #69 0x00000000000002a4 in ?? () #70 0x00007fff1fb15120 in ?? () #71 0x00007fff1fb151e8 in ?? () #72 0x0000000000435011 in isakmp_handler () #73 0x000000000042f456 in session () ---Type <return> to continue, or q <return> to quit--- #74 0x000000000042ec27 in main () (gdb) (gdb) (gdb) (gdb) quit -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 Li Bin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |david.mattes@boeing.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674#c11 David Mattes changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|david.mattes@boeing.com | --- Comment #11 from David Mattes 2007-11-29 09:39:33 MST --- I ran a version of racoon with debugging symbols, but I am having problems with the nortel plugin you provided. I'm running x86_64 and in order to get the debug plugin to open, I had to run racoon with linux32. When I do this, I can't get racoon to crash, even though the behavior is the same - the VPN IP address is set to the split tunnel route that the plugin normally crashes on. So there's some strangeness going on that may need some more work to figure out what's happening. Anyway, here is some debug info when I don't run racoon with linux32. Unfortunately it crashes in a different place, when it starts the ISAKMP Phase 1 negotiation. about to call so: /usr/lib/turnpike/plugins/libnortel.so plugin name is :nortel Failed opening so:/usr/lib/turnpike/plugins/libnortel.so, dlopen returned error:/usr/lib/turnpike/plugins/libnortel.so: wrong ELF class: ELFCLASS32 Program received signal SIGHUP, Hangup. 0x00002acd629c3e87 in kill () from /lib64/libc.so.6 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. isakmp_plist_set_all (plist=0x7fff4857e5a8, iph1=0x692ad0) at isakmp.c:2907 2907 tlen += ptr->payload->l + sizeof (struct isakmp_gen); (gdb) bt #0 isakmp_plist_set_all (plist=0x7fff4857e5a8, iph1=0x692ad0) at isakmp.c:2907 #1 0x000000000043a38b in agg_i1send (iph1=0x692ad0, msg=<value optimized out>) at isakmp_agg.c:318 #2 0x0000000000432c8c in isakmp_ph1begin_i (rmconf=<value optimized out>, remote=0x692a90, local=<value optimized out>) at isakmp.c:1046 #3 0x000000000044b56c in admin_handler () at admin.c:494 #4 0x000000000042f5e6 in session () at session.c:202 #5 0x000000000042ec27 in main (ac=4, av=0x7fff4857fdb8) at main.c:247 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674#c13 --- Comment #13 from Li Bin 2007-12-03 03:43:26 MST --- Hi, David. In Comment #11 you said the racoon don't crash in 32-bit computer, so dis it crash just in sometimes or all the times in 32-bit computer? From this comment the racoon should be crash at cfgAckBifurcationCallback, which is the "split tunnel" function in plugin. But now I didn't know why? Maybe I'll add some more debug info and reply you later. (In reply to comment #12 from David Mattes)

I tried on a 32-bit computer. I still couldn't get anything useful out of gdb. But the following did show up in the syslog just before racoon crashed.

A3945578!mattes bugzilla> cat bug.txt Nov 29 09:28:07 e061240 racoon: DEBUG: ==> Enter cfgAckIPv4Callback... Nov 29 09:28:07 e061240 racoon: DEBUG: ASSIGNED IP ADDRESS IS 6047090 Nov 29 09:28:07 e061240 racoon: DEBUG: Acking INTERNAL IP Nov 29 09:28:07 e061240 racoon: DEBUG: Unexpected SET attribute 6 Nov 29 09:28:07 e061240 racoon: DEBUG: Unexpected SET attribute 16392 Nov 29 09:28:07 e061240 racoon: DEBUG: ==> Enter cfgAckKACallback... Nov 29 09:28:07 e061240 racoon: DEBUG: KA IN SECS IS 384 Nov 29 09:28:07 e061240 racoon: DEBUG: Acking KA Nov 29 09:28:07 e061240 racoon: DEBUG: Unexpected SET attribute 16394 Nov 29 09:28:07 e061240 racoon: DEBUG: ==> Enter cfgAckIPv4MaskCallback... Nov 29 09:28:07 e061240 racoon: DEBUG: Acking INTERNAL IP MASK Nov 29 09:28:07 e061240 racoon: DEBUG: ==> Enter cfgAckIPv4DnsCallback... Nov 29 09:28:07 e061240 racoon: DEBUG: Acking INTERNAL IP DNS Nov 29 09:28:07 e061240 racoon: DEBUG: ==> Enter cfgAckIPv4DnsCallback... Nov 29 09:28:07 e061240 racoon: DEBUG: Acking INTERNAL IP DNS Nov 29 09:28:07 e061240 racoon: DEBUG: Unexpected SET attribute 4 Nov 29 09:28:07 e061240 racoon: DEBUG: Unexpected SET attribute 4 Nov 29 09:28:07 e061240 racoon: DEBUG: ==> Enter cfgAckBifurcationCallback...

What next?

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c15 Li Bin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |david.mattes@boeing.com --- Comment #15 from Li Bin 2007-12-03 22:56:10 MST --- Hi, David. I've reviewed the code, and found the tunnel list max number is 20, so it's the reason for crash. Now I change the plugin's code and package in the x86_64 and i386 platform. So now you can get it from the attachments and try them all, if it's not crash on, I'll close this bug. If not, just give me the log. Thanks for your help! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c17 --- Comment #17 from Li Bin 2007-12-04 00:40:02 MST --- Created an attachment (id=185731) --> (https://bugzilla.novell.com/attachment.cgi?id=185731) the rpm for x86_64 platform If you visit the novell's innerweb, you could download from here: http://w3.suse.de/~bili/novell-nortelplugins-0.1.2-6.18.x86_64.rpm -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c19 Li Bin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |ast@novell.com --- Comment #19 from Li Bin 2007-12-04 19:07:01 MST --- Hi, David. It's a good idea for opening another bug. If you don't mind we'll discuss this problem after you open another bug. Thanks! And I'll submit this bug to QA(ast@novell.com) for updating the new version, then close it. (In reply to comment #18 from David Mattes)

That did the trick for the split tunnel! Thanks!

BTW, I have another VPN issue - you may want me to open another bug. It appeared with novell-ipsec-tools-0.6.3-26.14 (SLED10SP1) as a regression from novell-ipsec-tools-0.6.3-26.4 (SLED10). When I connect with 26.4 the relevant entries in syslog are: racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.1[0]->192.168.1.150[0] racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.150[0]->10.0.0.1[0]

And the tunnel works fine. But when I connect with 26.14 these change to: racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.1[500]->192.168.1.150[500] racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.150[500]->10.0.0.1[500]

And then I get a constant (~1/sec) stream of the following: racoon: DEBUG: KA: 192.168.1.150[500]->10.0.0.1[500] racoon: DEBUG: sockname 192.168.1.150[500] racoon: DEBUG: send packet from 192.168.1.150[500] racoon: DEBUG: send packet to 10.0.0.1[500] racoon: DEBUG: src4 192.168.1.150[500] racoon: DEBUG: dst4 10.0.0.1[500] racoon: DEBUG: 1 times of 1 bytes message will be sent to 10.0.0.1[500] racoon: DEBUG: ff

The only difference I can see is the change from ip[0] to ip[500], going from version 26.4 to version 26.14. What is the [500], and why did that change between the two versions? Is this a config option?

Thanks!

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User hmuelle@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c24 Harald Mueller-Ney changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hmuelle@novell.com Status|NEEDINFO |ASSIGNED Info Provider|hmuelle@novell.com | --- Comment #24 from Harald Mueller-Ney 2007-12-10 04:10:07 MST --- (In reply to comment #19 from Bin Li)

Hi, David. It's a good idea for opening another bug. If you don't mind we'll discuss this problem after you open another bug. Thanks! And I'll submit this bug to QA(ast@novell.com) for updating the new version, then close it.

What do you mean bei "updating the new version? Is your intention to ask for an maintenance update, we should release to all SLE10 customers? Looking at the bug, it sound reasonable, but we should fix the other issue first and release both packages fied in one update. Do we already have a bug for the other issue? We need to connect both bugs, this one blocks the other. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User hmuelle@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c26 Harald Mueller-Ney changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |346211 Status|NEEDINFO |ASSIGNED Info Provider|hmuelle@novell.com | --- Comment #26 from Harald Mueller-Ney 2007-12-11 03:22:40 MST --- Exactly. Setting this one blocking 346211 (we need to release both together). It is fine to ask "maintenance" for an maintenance update in the other bug by setting needinfo to ast@novell.com but you should explicitely mention this bug so that whoever will answer for maintenance is aware that both fixes should be released together. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User hmuelle@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c29 Harald Mueller-Ney changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |NTS_Public --- Comment #29 from Harald Mueller-Ney 2008-02-13 04:03:14 MST --- Use SWAMPID: 16307 for releasing a patch update for both bugs: 339674, 346211 All packages could go into one patchinfo. A patch update is solving one or more related issues. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c31 --- Comment #31 from Li Bin 2008-02-14 01:35:45 MST --- (In reply to comment #30 from Uwe Drechsel)

openSUSE is not covered by L3 support, which is needed here. A fix is going to be released as Maintenance Update for SUSE Linux Enterprise Desktop.

I assume you need the fix for SLED, right?

Yes, and also I've submit the new package to STABLE for next release for OpenSUSE 11 and SLED10 SP2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=339674 User ast@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=339674#c34 --- Comment #34 from Anja Stock 2008-08-01 09:22:47 MDT --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.