Racoon 0.7 fails with address already in use

Bug #332606 reported by Martin Fuzzey on 2009-02-21
4
Affects Status Importance Assigned to Milestone
ipsec-tools (Debian)
Fix Released
Unknown
ipsec-tools (Fedora)
Fix Released
Medium
ipsec-tools (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: ipsec-tools

after upgrading from 8.04 to 8.10 (racoon 1:0.6.7-1ubuntu1 to 1:0.7-2.1ubuntu1) ipsec connections fail with these lines in the log:

Feb 21 16:04:15 portableHP racoon: INFO: ISAKMP-SA established 192.168.10.10[4500]-81.80.172.213[4500] spi:0574a13bd4c8aefe:e2d8e1c7f55e62cb
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: Starting
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: LOCAL_ADDR = 192.168.10.10
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: LOCAL_PORT = 4500
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: REMOTE_ADDR = 81.80.172.213
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: REMOTE_PORT = 4500
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: DEFAULT_GW = 192.168.10.2
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: INTERNAL_ADDR4 = 192.168.190.12
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: INTERNAL_DNS4 = 192.168.76.215
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: Setting up resolv.conf
Feb 21 16:04:15 portableHP racoon-parkeon-phase1-up.sh: Setting up routes
Feb 21 16:04:16 portableHP racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Feb 21 16:04:16 portableHP racoon: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).
Feb 21 16:04:16 portableHP racoon: ERROR: failed to bind to address 127.0.0.1[4500] (Address already in use).
Feb 21 16:04:16 portableHP racoon: ERROR: failed to bind to address 192.168.10.10[500] (Address already in use).
Feb 21 16:04:16 portableHP racoon: ERROR: failed to bind to address 192.168.10.10[4500] (Address already in use).

ie just after the phase 1 completes [ the racoon-parkeon stuff is generated by my scripts]

The problem has already been fixed upstream (in their CVS) but not yet released even in 0.7.1

Applying the patch ipsec-tools-0.7-cvs-iface.patch contained in the tgz dowloadable from https://bugzilla.redhat.com/show_bug.cgi?id=273261 fixes the problem.

For convenience I'm attaching the patch here too.

If there will be no new upstream release soon could this patch be applied by ubuntu (or debian) as redhat have done?

Cheers,

Martin

Description of problem:
Several bugs in latest ipsec-tools-0.7 prevent successful use as
a remote-access (road-warrior) client to a Cisco ASA 5500 vpn concentrator.

Attached are three patches which were also submitted to the upstream mailing
list which fix this problem.

Also attached are some packaging improvements: a phase1 mode config script,
an init script for the racoon daemon, and patches for the spec file to
incorporate the above mentioned patches and scripts.

Version-Release number of selected component (if applicable):
0.7

How reproducible:

Attempt to connect to a Cisco ASA in remote-access client mode with racoon.

Steps to Reproduce:
1. Configure racoon to connect to a Cisco ASA as suggested in the enclosed
racoon.conf example.
2. Start racoon daemon
3. run 'racoonctl vc <IP-of-Cisco-ASA>

Actual results:

vpn session fails to be established

Expected results:

successfully establish a vpn session

Additional info:

uploading tarball with the following content:

ipsec-tools.spec.diff changes to spec file
racoon.conf.diff changes to included config.file
ipsec-tools-0.7-cvs-dupmode.patch patch to handle dupe mode config packets
ipsec-tools-0.7-cvs-dupsplit.patch patch to handle dupe split networks
ipsec-tools-0.7-cvs-iface.patch patch to set SO_REUSEADDR on sockets
p1_up_down phase1 mode config script
racoon.init init script for racoon daemon

Created attachment 184001
contents of file described in 'additional info' section of original report

Everything except the dupmode patch has been put into rawhide. The dupmode patch
wasn't accepted by upstream, but the others were.

This bz is now just for the dupmode patch, the others have been added. I'm going
to set this as needinfo from the reporter, and when upstream has resolved the
patch, please set it back to me.

Thanks.

Turns out the dupmode patch is unnecessary. We can work around that problem
by simply having the phase1_up script check for a previous execution (i.e.,
whether the private VPN address has already been configured on the default
network interface).

I'm uploading a new version of the p1_up_down script which contains this check.

The ipsec-tools maintainers also took issue with the ipcalc-based conversion of
dotted-quad netmask into CIDR notation, and a patch (also uploaded) was applied
to CVS which supplies the phase1 script with a list of split networks directly
in CIDR notation.

Created attachment 232941
fixed roadwarrior phase1 script

new script now checks for an already completed previous phase1_up execution
also eliminated conversion from dotted quad netmask to cidr notation as
that functionality is being directly offered by racoon

Created attachment 232951
offer list of split networks in CIDR notation to phase1 scripts

this is already in CVS, and is also required by fixed phase1 p1_up_down script

I'm sorry, I meant to get this change in with otehr recent patches. It's in
rawhide now, as after that's tested a bit I'll put it in F-8 also.

ipsec-tools-0.7-8.fc8 has been submitted as an update for Fedora 8

ipsec-tools-0.7-8.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with
 su -c 'yum --enablerepo=updates-testing update ipsec-tools'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2661

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

ipsec-tools-0.7.1-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-5.fc8

ipsec-tools-0.7.1-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Martin Fuzzey (mfuzzey) wrote :
Johnathon (kirrus) wrote :

Hi Martin.

Can you create a test-case for us, a step-by-step process that we can use to replicate the problem?

Changed in ipsec-tools:
status: New → Incomplete
Martin Fuzzey (mfuzzey) wrote :

Hi Johnathon

that's a bit difficult to do without giving you an account on my companie's VPN (which I can't do)

configuration is aggressive mode with x509 certificates

connection establishment is requested using racoonctl

Martin

Changed in ipsec-tools:
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ipsec-tools - 1:0.7.1-1.5ubuntu4

---------------
ipsec-tools (1:0.7.1-1.5ubuntu4) karmic; urgency=low

  * src/racoon/isakmp.c: Fix address already in use. (LP: #332606)

 -- Chuck Short <email address hidden> Tue, 15 Sep 2009 08:39:41 -0400

Changed in ipsec-tools (Ubuntu):
status: Incomplete → Fix Released
Changed in ipsec-tools (Debian):
status: Unknown → Fix Released
Changed in ipsec-tools (Fedora):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.