[Bug 346211] New: racoon (novell-ipsec-tools pkg) can build tunnels but no traffic gets through
https://bugzilla.novell.com/show_bug.cgi?id=346211 Summary: racoon (novell-ipsec-tools pkg) can build tunnels but no traffic gets through Product: SUSE Linux 10.1 Version: Final Platform: x86-64 OS/Version: SLED 10 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: david.mattes@boeing.com QAContact: qa@suse.de CC: stingleff@novell.com, bili@novell.com Found By: Customer I am using novell-ipsec-tools, along with turnpike, to build VPN tunnels. VPN tunnels have been and are still successfully established but VPN traffic stopped flowing with novell-ipsec-tools-0.6.3-26.14 (SLED10SP1) as a regression from novell-ipsec-tools-0.6.3-26.4 (SLED10). When I connect with 26.4 (when it works) the relevant entries in syslog are: racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.1[0]->192.168.1.150[0] racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.150[0]->10.0.0.1[0] And the tunnel works fine. But when I connect with 26.14 these change to: racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.1[500]->192.168.1.150[500] racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.150[500]->10.0.0.1[500] And then when I try to send data through the tunnel I get a constant (~1/sec) stream of the following: racoon: DEBUG: KA: 192.168.1.150[500]->10.0.0.1[500] racoon: DEBUG: sockname 192.168.1.150[500] racoon: DEBUG: send packet from 192.168.1.150[500] racoon: DEBUG: send packet to 10.0.0.1[500] racoon: DEBUG: src4 192.168.1.150[500] racoon: DEBUG: dst4 10.0.0.1[500] racoon: DEBUG: 1 times of 1 bytes message will be sent to 10.0.0.1[500] racoon: DEBUG: ff The only difference I can see is the change from ipaddr[0] to ipaddr[500], going from version 26.4 to version 26.14. What is the [500], and why did that change between the two versions? Is this a config option? Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c1 --- Comment #1 from Li Bin <bili@novell.com> 2007-12-05 19:21:05 MST --- Created an attachment (id=186102) --> (https://bugzilla.novell.com/attachment.cgi?id=186102) vpn_TroubleShooting script Hi, David. :), nice to meet you again. First, We add the KeepAlive's support in the new version, but I'm not sure when these version were released? So I need you run the troubleshooting script in different version for more information. Second, the port 500 used for ISAKMP. Also the KeepAlive packets use this port.
racoon: DEBUG: KA: 192.168.1.150[500]->10.0.0.1[500] racoon: DEBUG: sockname 192.168.1.150[500] racoon: DEBUG: send packet from 192.168.1.150[500] racoon: DEBUG: send packet to 10.0.0.1[500] racoon: DEBUG: src4 192.168.1.150[500] racoon: DEBUG: dst4 10.0.0.1[500] racoon: DEBUG: 1 times of 1 bytes message will be sent to 10.0.0.1[500] racoon: DEBUG: ff These packets just were the KeepAlive package.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |allau@novell.com Status|NEW |NEEDINFO Info Provider| |david.mattes@boeing.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |jshi@novell.com Status|NEEDINFO |NEW Info Provider|david.mattes@boeing.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c2 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jshi@novell.com |bili@novell.com Status|NEW |ASSIGNED --- Comment #2 from Li Bin <bili@novell.com> 2007-12-06 22:20:06 MST --- I'll take care of it. Any update? David. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |david.mattes@boeing.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c3 --- Comment #3 from Li Bin <bili@novell.com> 2007-12-10 18:44:28 MST --- Hi, David. Any update? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 Harald Mueller-Ney <hmuelle@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |339674 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User david.mattes@boeing.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c4 --- Comment #4 from David Mattes <david.mattes@boeing.com> 2007-12-11 12:15:42 MST --- I can not replicate the issue while I'm inside my corporate firewall. Inside the firewall, VPN traffic goes to a different server. I will run the troubleshooting script from home, outside the corporate firewall, as soon as I can. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User david.mattes@boeing.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c5 --- Comment #5 from David Mattes <david.mattes@boeing.com> 2007-12-19 08:29:17 MST --- Created an attachment (id=188261) --> (https://bugzilla.novell.com/attachment.cgi?id=188261) results of running vpn_Troubleshooting script I have tried to redact private information from the output of the debugging script. I hope it doesn't interfere with your effort. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User david.mattes@boeing.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c6 David Mattes <david.mattes@boeing.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|david.mattes@boeing.com | --- Comment #6 from David Mattes <david.mattes@boeing.com> 2007-12-19 08:30:25 MST --- Forgot to clear Needinfo flag. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c7 --- Comment #7 from Li Bin <bili@novell.com> 2008-01-07 02:39:01 MST --- Hi, David. Sorry update so late for vacation, I'll reply you this week. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c8 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |david.mattes@boeing.com --- Comment #8 from Li Bin <bili@novell.com> 2008-01-11 01:37:19 MST --- Hi,David. I reviewed your log, and I think it's not a bug. There are DNS packets in the captured file that didn't get through the tunnels. And your route table: 0.0.0.0 dev eth1 scope link src 144.112.35.87 mtu 1436 advmss 1396 130.76.32.73 via 192.168.1.1 dev eth1 mtu 1436 advmss 1396 .. 192.68.11.0/24 dev eth1 scope link src 144.112.35.87 mtu 1436 advmss 1396 192.68.49.0/24 dev eth1 scope link src 144.112.35.87 mtu 1436 advmss 1396 .. 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 And you DNS server is 66.93.87.2, so it get through from eth1 to 192.168.1.1, not pass the tunnel. when some packet passed the tunnel, the captured packets is ESP format, and I saw a lot of this packet in your captured file.
From your log file, I found it's ok, not a bug.
If you have any problem contact me. If not, I'll closed this bug. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User david.mattes@boeing.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c9 --- Comment #9 from David Mattes <david.mattes@boeing.com> 2008-01-11 10:35:13 MST --- Well, my experience is that using novell-ipsec-tool-0.6.3-26.4 everything works fine (except there is an empty search domain in /etc/resolv.conf) and when I upgrade to novell-ipsec-tools-0.6.3-26.14 I don't see any traffic through the VPN. Let me spend a little time poking around before you close the bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c10 --- Comment #10 from Li Bin <bili@novell.com> 2008-01-13 19:10:26 MST --- Ok, if you reproduce again, send me back the log. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c11 --- Comment #11 from Li Bin <bili@novell.com> 2008-01-30 23:38:02 MST --- Hi, David. China R&D will not be around from Feb 4th to Feb 15th, please let us know if you have any concern before the 4th. Or we will handle this after the 15th. Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User uwedr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c13 Uwe Drechsel <uwedr@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |uwedr@novell.com --- Comment #13 from Uwe Drechsel <uwedr@novell.com> 2008-02-13 04:44:17 MST --- openSUSE is not covered by L3 support, which is needed here. A fix is going to be released as Maintenance Update for SUSE Linux Enterprise Desktop. I assume you need the fix for SLED, right? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c14 --- Comment #14 from Li Bin <bili@novell.com> 2008-02-14 01:35:27 MST --- (In reply to comment #13 from Uwe Drechsel)
openSUSE is not covered by L3 support, which is needed here. A fix is going to be released as Maintenance Update for SUSE Linux Enterprise Desktop.
I assume you need the fix for SLED, right?
Yes, and also I've submit the new package to STABLE for next release for OpenSUSE 11 and SLED10 SP2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 Bug 346211 depends on bug 339674, which changed state. Bug 339674 Summary: novell-nortelplugins causes racoon crash with split tunnel https://bugzilla.novell.com/show_bug.cgi?id=339674 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c15 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|david.mattes@boeing.com | Resolution| |FIXED --- Comment #15 from Li Bin <bili@novell.com> 2008-02-15 01:05:51 MST --- ->Fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c18 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #18 from Li Bin <bili@novell.com> 2008-02-25 18:40:20 MST --- ->Fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User stingleff@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c19 --- Comment #19 from Sam Tingleff <stingleff@novell.com> 2008-02-25 18:52:26 MST --- Can you provide a ptf for David? When will this be released as a maintenance update? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c20 --- Comment #20 from Li Bin <bili@novell.com> 2008-02-25 19:36:00 MST --- Hi, sam. We just provide a ptf for L3's bug, if we provide a ptf, it must be marked as L3 by the L3 team, so does it need to L3? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User stingleff@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c21 --- Comment #21 from Sam Tingleff <stingleff@novell.com> 2008-02-25 20:01:58 MST --- We need a working build somehow... either as a maintenance update to SLED or as a ptf. Ideally a (quick) maintenance update to SLED so that all of Boeing can benefit. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User bili@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c22 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gekker@novell.com --- Comment #22 from Li Bin <bili@novell.com> 2008-02-25 20:22:23 MST --- Sam, I've provide a patchinfo for maintenance update to SLED, but not be accepted yet. Gary, Do we need to provide a ptf for this bug? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User gekker@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c23 Gary Ekker <gekker@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #23 from Gary Ekker <gekker@novell.com> 2008-03-04 12:46:42 MST --- Yes, a maintenance update i think. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User gekker@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c24 Gary Ekker <gekker@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |ast@novell.com --- Comment #24 from Gary Ekker <gekker@novell.com> 2008-03-04 12:47:15 MST --- Another one for a maintenance update Anja. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=346211 User ast@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=346211#c30 --- Comment #30 from Anja Stock <ast@novell.com> 2008-08-01 09:23:09 MDT --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com