2012-03-05 17:27:33 |
Kaarle Ritvanen |
bug |
|
|
added bug |
2012-03-06 11:43:29 |
Robie Basak |
ipsec-tools (Ubuntu): status |
New |
Fix Released |
|
2012-03-06 11:43:35 |
Robie Basak |
nominated for series |
|
Ubuntu Lucid |
|
2012-03-06 11:43:52 |
Robie Basak |
ipsec-tools (Ubuntu): importance |
Undecided |
Medium |
|
2012-03-06 11:48:48 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2012-04-10 08:42:46 |
Robie Basak |
attachment added |
|
ipsec-tools.debdiff https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/947309/+attachment/3039038/+files/ipsec-tools.debdiff |
|
2012-04-10 08:42:55 |
Robie Basak |
description |
Ubuntu release: 10.04
racoon package version: 1:0.7.1-1.6ubuntu1
IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there already is a non-expired ESP SA for that client, created for the previous session. See the discussion here:
http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246
The suggested correction is to update racoon to version 0.8. |
SRU JUSTIFICATION
[Impact]
Use for interoperability with other VPN systems including use as a VPN concentrator is a major use case for ipsec-tools. A large number of users have Windows clients. This bug in ipsec-tools causes unreliable interoperability between Ubuntu and the Windows Vista and 7 VPN clients.
[Development Fix]
Fixed in upstream CVS, src/racoon/handler.c revisions 1.31 and 1.32 (see http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/handler.c?only_with_tag=MAIN). This fix went into upstream 0.8. Precise is at 1:0.8.0-9ubuntu1 so already includes this fix.
[Stable Fix]
See debdiff, attached.
[Test Case]
From http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246, with thanks to Loren M. Lang:
A specific, repeatable test case I was using is as follows. Restart racoon daemon on Linux server. Initiate L2TP VPN connection on Windows 7 (while on same subnet as Linux server.) Verify VPN is working with ping from server. First attempt is always successful. Disconnect VPN. Racoon reports ISAKMP-SA deleted. Reconnect and VPN hangs negotiating phase 2. Last message from racoon reports ISAKMP-SA established. Initiate L2TP VPN from a separate Windows XP computer also on the same subnet as the Linux server. Verify VPN connection with ping from Linux and disconnect VPN. Repeat a second time and it still successful on XP. Make sure VPN is disconnected on XP and make a third attempt at VPN on Windows 7. It still fails like the second attempt.
[Regression Potential]
Upstream have been carrying this fix for over two years, and the fix is still present in upstream CVS HEAD. The original reporter has confirmed that this fix works without issues. Thus the potential for regressions is minimal.
ORIGINAL REPORT
Ubuntu release: 10.04
racoon package version: 1:0.7.1-1.6ubuntu1
IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there already is a non-expired ESP SA for that client, created for the previous session. See the discussion here:
http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246
The suggested correction is to update racoon to version 0.8. |
|
2012-04-10 08:43:26 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-04-10 08:43:36 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2012-04-16 10:08:40 |
Martin Pitt |
bug task added |
|
ipsec-tools (Ubuntu Lucid) |
|
2012-04-16 10:14:19 |
Martin Pitt |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2012-04-16 10:14:29 |
Martin Pitt |
ipsec-tools (Ubuntu Lucid): status |
New |
Fix Committed |
|
2012-04-20 22:04:23 |
Clint Byrum |
bug |
|
|
added subscriber SRU Verification |
2012-04-20 22:04:26 |
Clint Byrum |
tags |
|
verification-needed |
|
2012-04-22 09:17:20 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-proposed/ipsec-tools |
|
2012-08-09 18:21:51 |
Clint Byrum |
tags |
verification-needed |
verification-done |
|
2012-08-09 21:53:53 |
Colin Watson |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2012-08-09 21:54:13 |
Launchpad Janitor |
ipsec-tools (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|