racoon segfaults when flusing SPD
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ipsec-tools (Debian) |
Fix Released
|
Unknown
|
|||
ipsec-tools (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
My IPsec tunnel is forming and working properly but when I flush the SPD information manually racoon segfaults :
service racoon start
setkey -f /etc/racoon/
# test tunnel: OK
# Remove SPD
cat << EOF | setkey -c
flush;
spdflush;
EOF
The last command gives this in /var/log/syslog:
Jan 9 14:04:06 simon-laptop racoon: ERROR: privsep_socket: unauthorized domain (15)
Jan 9 14:04:06 simon-laptop kernel: [91971.982694] racoon[27776]: segfault at 10 ip 00007f0908153029 sp 00007fff8b154dc0 error 4 in racoon[
$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy racoon
racoon:
Installed: 1:0.8.0-3ubuntu1.1
Candidate: 1:0.8.0-3ubuntu1.1
Version table:
*** 1:0.8.0-3ubuntu1.1 0
500 http://
100 /var/lib/
1:
500 http://
$ apt-cache policy ipsec-tools
ipsec-tools:
Installed: 1:0.8.0-3ubuntu1.1
Candidate: 1:0.8.0-3ubuntu1.1
Version table:
*** 1:0.8.0-3ubuntu1.1 0
500 http://
100 /var/lib/
1:
500 http://
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: racoon 1:0.8.0-3ubuntu1.1
ProcVersionSign
Uname: Linux 3.0.0-15-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Jan 9 14:06:25 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
ProcEnviron:
LANGUAGE=en_CA:en
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: ipsec-tools
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in ipsec-tools (Debian): | |
status: | Unknown → Confirmed |
Changed in ipsec-tools (Debian): | |
status: | Confirmed → Fix Released |
Here is my racoon configuration (remote IP obfuscated) :
$ cat /etc/racoon/ racoon. conf
privsep
{
user "racoon";
group "racoon";
}
log notify; certs"; scripts" ;
path certificate "/etc/racoon/
path script "/etc/racoon/
remote 1.2.3.4 {
exchange_ mode main; local-key/ sdeziel- laptop" ; remote- key/sdeziel- fw.pub" ;
encryption_ algorithm aes;
hash_ algorithm sha1;
authenticatio n_method rsasig;
dh_group modp2048;
encryption_ algorithm aes;
authentication _algorithm hmac_sha1;
compression_ algorithm deflate;
nat_traversal on;
certificate_type plain_rsa "/etc/racoon/
peers_certfile plain_rsa "/etc/racoon/
peers_identifier fqdn "sdeziel-fw";
my_identifier fqdn "sdeziel-laptop";
verify_cert off;
proposal {
}
}
sainfo anonymous {
pfs_group modp2048;
}
Note that the remote peer receives the SA deletion message even if racoon crashes.