racoon phase 2 negotiation fails with Win Vista/7

Bug #947309 reported by Kaarle Ritvanen on 2012-03-05
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ipsec-tools (Ubuntu)
Medium
Unassigned
Lucid
Undecided
Unassigned

Bug Description

SRU JUSTIFICATION

[Impact]

Use for interoperability with other VPN systems including use as a VPN concentrator is a major use case for ipsec-tools. A large number of users have Windows clients. This bug in ipsec-tools causes unreliable interoperability between Ubuntu and the Windows Vista and 7 VPN clients.

[Development Fix]

Fixed in upstream CVS, src/racoon/handler.c revisions 1.31 and 1.32 (see http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/handler.c?only_with_tag=MAIN). This fix went into upstream 0.8. Precise is at 1:0.8.0-9ubuntu1 so already includes this fix.

[Stable Fix]

See debdiff, attached.

[Test Case]

From http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246, with thanks to Loren M. Lang:

A specific, repeatable test case I was using is as follows. Restart racoon daemon on Linux server. Initiate L2TP VPN connection on Windows 7 (while on same subnet as Linux server.) Verify VPN is working with ping from server. First attempt is always successful. Disconnect VPN. Racoon reports ISAKMP-SA deleted. Reconnect and VPN hangs negotiating phase 2. Last message from racoon reports ISAKMP-SA established. Initiate L2TP VPN from a separate Windows XP computer also on the same subnet as the Linux server. Verify VPN connection with ping from Linux and disconnect VPN. Repeat a second time and it still successful on XP. Make sure VPN is disconnected on XP and make a third attempt at VPN on Windows 7. It still fails like the second attempt.

[Regression Potential]

Upstream have been carrying this fix for over two years, and the fix is still present in upstream CVS HEAD. The original reporter has confirmed that this fix works without issues. Thus the potential for regressions is minimal.

ORIGINAL REPORT

Ubuntu release: 10.04
racoon package version: 1:0.7.1-1.6ubuntu1

IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there already is a non-expired ESP SA for that client, created for the previous session. See the discussion here:

http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246

The suggested correction is to update racoon to version 0.8.

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

racoon 0.8 is available in the current (non-LTS) release, Oneiric, and will also be in the upcoming LTS release.

> The suggested correction is to update racoon to version 0.8.

I understand that this issue is present in the current LTS release (10.04) and thus it is desirable to get this fixed. But we do not update packages in stable releases to new upstream versions in this way, in order to keep them stable. Instead, bugfixes need to be backported. See https://wiki.ubuntu.com/StableReleaseUpdates for reasons and the details of this process.

If this particular fix can be isolated then it can be fixed in an SRU (https://wiki.ubuntu.com/StableReleaseUpdates#Procedure). So if you could supply a minimal patch that fixes the issue in the current version in Lucid, then this would help.

Alternatively you can update to the current (non-LTS) release 11.10, or update to the upcoming LTS (due for release in April).

Changed in ipsec-tools (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Robie Basak (racb) wrote :

I've marked this as Fix Released because the current development version is 0.8 and so presumably the bug is fixed in the current development version as per the bug report. I've nominated the fix for Lucid to keep the bug alive, even though we have no patch at this time.

Kaarle Ritvanen (kunkku) wrote :

This looks like the upstream bug report on the problem:

http://gnats.netbsd.org/42363

There are two patches changing a single line in handler.c. I haven't yet verified if these patches really solve the problem, though.

Robie Basak (racb) wrote :

Looks like this corresponds to upstream CVS 1.31 and 1.32 in handler.c: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/handler.c?only_with_tag=MAIN

This change is still present in the current version in precise (1:0.8.0-9ubuntu1).

Kaarle: if I can arrange getting an upload sponsored, would you be willing to help this through the SRU procedure? The procedure is here: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure. We'll need detailed instructions to reproduce the bug, and for you to test test a -proposed package for lucid and report back.

Kaarle Ritvanen (kunkku) wrote :

Yes, I can help with that.

Robie Basak (racb) wrote :

@Kaarle

Great!

As I'm not in a position to reproduce the bug and you haven't yet verified if the patch does solve the problem, I don't want to request a change to the official package just yet.

To make testing easier for you I've blindly applied the patch and uploaded an updated package to my PPA here: https://launchpad.net/~racb/+archive/experimental

Could you please try this package to see if this fixes your problem?

If it works for you, then I'll prepare an update to the official archive, we'll write an SRU justification and the package will be built in lucid-proposed for you to test the actual candidate package for the update. Once that passes verification then the update can be moved into lucid-updates.

Robie Basak (racb) wrote :

Kaarle,

Have you been able to test this yet?

Kaarle Ritvanen (kunkku) wrote :

I installed the patched package on my client's server a couple of weeks ago, and I haven't heard any complaints since. I haven't yet had the chance to personally verify the behavior, but I plan to do that when I'm visiting their site later this week.

Kaarle Ritvanen (kunkku) wrote :

All right, I did some testing today. The problem indeed disappears with the patched packages.

Robie Basak (racb) wrote :
description: updated
Martin Pitt (pitti) wrote :

Uploaded, unsubscribing sponsors. Thanks!

Changed in ipsec-tools (Ubuntu Lucid):
status: New → Fix Committed

Hello Kaarle, or anyone else affected,

Accepted ipsec-tools into lucid-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Robie Basak (racb) wrote :

Kaarle,

Any news on testing the -proposed packages please? Instructions above. Without this testing, the packages will end up getting dropped and not enter lucid-updates.

Kaarle Ritvanen (kunkku) wrote :

It's the same story as with your PPA package: I installed the proposed package 4 weeks ago and haven't heard any complaints. I suppose the package fixes the problem without regressions, but haven't yet had the possibility to personally verify this.

Is there some hard time limit before which the testing should be done? My current plan is to do it on week 24 when visiting my client next time. Is this all right (or do I need to set up my own test environment)?

Robie Basak (racb) wrote :

Kaarle,

I think that will be fine. The procedure lists the limit as six months. I appreciate your help in getting this update included in Lucid. Please let us know when you've got the fix verified.

Kaarle Ritvanen (kunkku) wrote :

I did some testing yesterday with the proposed package, and everything seems to work fine.

Clint Byrum (clint-fewbar) wrote :

Thanks for testing Kaarle, we'll release this to lucid-updates soon.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ipsec-tools - 1:0.7.1-1.6ubuntu1.1

---------------
ipsec-tools (1:0.7.1-1.6ubuntu1.1) lucid-proposed; urgency=low

  * src/racoon/handler.c: fix phase 2 negotiation (LP: #947309).
    - Patch from upstream CVS revisions 1.31 and 1.32.
    - Fixes Vista and Windows 7 client support.
 -- Robie Basak <email address hidden> Fri, 09 Mar 2012 19:01:04 +0000

Changed in ipsec-tools (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers