racoon phase 2 negotiation fails with Win Vista/7
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ipsec-tools (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU JUSTIFICATION
[Impact]
Use for interoperability with other VPN systems including use as a VPN concentrator is a major use case for ipsec-tools. A large number of users have Windows clients. This bug in ipsec-tools causes unreliable interoperability between Ubuntu and the Windows Vista and 7 VPN clients.
[Development Fix]
Fixed in upstream CVS, src/racoon/
[Stable Fix]
See debdiff, attached.
[Test Case]
From http://
A specific, repeatable test case I was using is as follows. Restart racoon daemon on Linux server. Initiate L2TP VPN connection on Windows 7 (while on same subnet as Linux server.) Verify VPN is working with ping from server. First attempt is always successful. Disconnect VPN. Racoon reports ISAKMP-SA deleted. Reconnect and VPN hangs negotiating phase 2. Last message from racoon reports ISAKMP-SA established. Initiate L2TP VPN from a separate Windows XP computer also on the same subnet as the Linux server. Verify VPN connection with ping from Linux and disconnect VPN. Repeat a second time and it still successful on XP. Make sure VPN is disconnected on XP and make a third attempt at VPN on Windows 7. It still fails like the second attempt.
[Regression Potential]
Upstream have been carrying this fix for over two years, and the fix is still present in upstream CVS HEAD. The original reporter has confirmed that this fix works without issues. Thus the potential for regressions is minimal.
ORIGINAL REPORT
Ubuntu release: 10.04
racoon package version: 1:0.7.1-1.6ubuntu1
IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there already is a non-expired ESP SA for that client, created for the previous session. See the discussion here:
http://
The suggested correction is to update racoon to version 0.8.
Thank you for taking the time to report this bug and helping to make Ubuntu better.
racoon 0.8 is available in the current (non-LTS) release, Oneiric, and will also be in the upcoming LTS release.
> The suggested correction is to update racoon to version 0.8.
I understand that this issue is present in the current LTS release (10.04) and thus it is desirable to get this fixed. But we do not update packages in stable releases to new upstream versions in this way, in order to keep them stable. Instead, bugfixes need to be backported. See https:/ /wiki.ubuntu. com/StableRelea seUpdates for reasons and the details of this process.
If this particular fix can be isolated then it can be fixed in an SRU (https:/ /wiki.ubuntu. com/StableRelea seUpdates# Procedure). So if you could supply a minimal patch that fixes the issue in the current version in Lucid, then this would help.
Alternatively you can update to the current (non-LTS) release 11.10, or update to the upcoming LTS (due for release in April).