Activity log for bug #947309

Date Who What changed Old value New value Message
2012-03-05 17:27:33 Kaarle Ritvanen bug added bug
2012-03-06 11:43:29 Robie Basak ipsec-tools (Ubuntu): status New Fix Released
2012-03-06 11:43:35 Robie Basak nominated for series Ubuntu Lucid
2012-03-06 11:43:52 Robie Basak ipsec-tools (Ubuntu): importance Undecided Medium
2012-03-06 11:48:48 Robie Basak bug added subscriber Robie Basak
2012-04-10 08:42:46 Robie Basak attachment added ipsec-tools.debdiff https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/947309/+attachment/3039038/+files/ipsec-tools.debdiff
2012-04-10 08:42:55 Robie Basak description Ubuntu release: 10.04 racoon package version: 1:0.7.1-1.6ubuntu1 IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there already is a non-expired ESP SA for that client, created for the previous session. See the discussion here: http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246 The suggested correction is to update racoon to version 0.8. SRU JUSTIFICATION [Impact] Use for interoperability with other VPN systems including use as a VPN concentrator is a major use case for ipsec-tools. A large number of users have Windows clients. This bug in ipsec-tools causes unreliable interoperability between Ubuntu and the Windows Vista and 7 VPN clients. [Development Fix] Fixed in upstream CVS, src/racoon/handler.c revisions 1.31 and 1.32 (see http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/handler.c?only_with_tag=MAIN). This fix went into upstream 0.8. Precise is at 1:0.8.0-9ubuntu1 so already includes this fix. [Stable Fix] See debdiff, attached. [Test Case] From http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246, with thanks to Loren M. Lang: A specific, repeatable test case I was using is as follows. Restart racoon daemon on Linux server. Initiate L2TP VPN connection on Windows 7 (while on same subnet as Linux server.) Verify VPN is working with ping from server. First attempt is always successful. Disconnect VPN. Racoon reports ISAKMP-SA deleted. Reconnect and VPN hangs negotiating phase 2. Last message from racoon reports ISAKMP-SA established. Initiate L2TP VPN from a separate Windows XP computer also on the same subnet as the Linux server. Verify VPN connection with ping from Linux and disconnect VPN. Repeat a second time and it still successful on XP. Make sure VPN is disconnected on XP and make a third attempt at VPN on Windows 7. It still fails like the second attempt. [Regression Potential] Upstream have been carrying this fix for over two years, and the fix is still present in upstream CVS HEAD. The original reporter has confirmed that this fix works without issues. Thus the potential for regressions is minimal. ORIGINAL REPORT Ubuntu release: 10.04 racoon package version: 1:0.7.1-1.6ubuntu1 IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there already is a non-expired ESP SA for that client, created for the previous session. See the discussion here: http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246 The suggested correction is to update racoon to version 0.8.
2012-04-10 08:43:26 Robie Basak bug added subscriber Ubuntu Stable Release Updates Team
2012-04-10 08:43:36 Robie Basak bug added subscriber Ubuntu Sponsors Team
2012-04-16 10:08:40 Martin Pitt bug task added ipsec-tools (Ubuntu Lucid)
2012-04-16 10:14:19 Martin Pitt removed subscriber Ubuntu Sponsors Team
2012-04-16 10:14:29 Martin Pitt ipsec-tools (Ubuntu Lucid): status New Fix Committed
2012-04-20 22:04:23 Clint Byrum bug added subscriber SRU Verification
2012-04-20 22:04:26 Clint Byrum tags verification-needed
2012-04-22 09:17:20 Launchpad Janitor branch linked lp:ubuntu/lucid-proposed/ipsec-tools
2012-08-09 18:21:51 Clint Byrum tags verification-needed verification-done
2012-08-09 21:53:53 Colin Watson removed subscriber Ubuntu Stable Release Updates Team
2012-08-09 21:54:13 Launchpad Janitor ipsec-tools (Ubuntu Lucid): status Fix Committed Fix Released