racoon phase 2 negotiation fails with Win Vista/7

Thank you for taking the time to report this bug and helping to make Ubuntu better.

racoon 0.8 is available in the current (non-LTS) release, Oneiric, and will also be in the upcoming LTS release.

> The suggested correction is to update racoon to version 0.8.

I understand that this issue is present in the current LTS release (10.04) and thus it is desirable to get this fixed. But we do not update packages in stable releases to new upstream versions in this way, in order to keep them stable. Instead, bugfixes need to be backported. See https://wiki.ubuntu.com/StableReleaseUpdates for reasons and the details of this process.

If this particular fix can be isolated then it can be fixed in an SRU (https://wiki.ubuntu.com/StableReleaseUpdates#Procedure). So if you could supply a minimal patch that fixes the issue in the current version in Lucid, then this would help.

Alternatively you can update to the current (non-LTS) release 11.10, or update to the upcoming LTS (due for release in April).

I've marked this as Fix Released because the current development version is 0.8 and so presumably the bug is fixed in the current development version as per the bug report. I've nominated the fix for Lucid to keep the bug alive, even though we have no patch at this time.

This looks like the upstream bug report on the problem:

http://gnats.netbsd.org/42363

There are two patches changing a single line in handler.c. I haven't yet verified if these patches really solve the problem, though.

Looks like this corresponds to upstream CVS 1.31 and 1.32 in handler.c: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/handler.c?only_with_tag=MAIN

This change is still present in the current version in precise (1:0.8.0-9ubuntu1).

Kaarle: if I can arrange getting an upload sponsored, would you be willing to help this through the SRU procedure? The procedure is here: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure. We'll need detailed instructions to reproduce the bug, and for you to test test a -proposed package for lucid and report back.

Yes, I can help with that.

@Kaarle

Great!

As I'm not in a position to reproduce the bug and you haven't yet verified if the patch does solve the problem, I don't want to request a change to the official package just yet.

To make testing easier for you I've blindly applied the patch and uploaded an updated package to my PPA here: https://launchpad.net/~racb/+archive/experimental

Could you please try this package to see if this fixes your problem?

If it works for you, then I'll prepare an update to the official archive, we'll write an SRU justification and the package will be built in lucid-proposed for you to test the actual candidate package for the update. Once that passes verification then the update can be moved into lucid-updates.

Kaarle,

Have you been able to test this yet?

I installed the patched package on my client's server a couple of weeks ago, and I haven't heard any complaints since. I haven't yet had the chance to personally verify the behavior, but I plan to do that when I'm visiting their site later this week.

All right, I did some testing today. The problem indeed disappears with the patched packages.

Uploaded, unsubscribing sponsors. Thanks!

Hello Kaarle, or anyone else affected,

Accepted ipsec-tools into lucid-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Kaarle,

Any news on testing the -proposed packages please? Instructions above. Without this testing, the packages will end up getting dropped and not enter lucid-updates.

It's the same story as with your PPA package: I installed the proposed package 4 weeks ago and haven't heard any complaints. I suppose the package fixes the problem without regressions, but haven't yet had the possibility to personally verify this.

Is there some hard time limit before which the testing should be done? My current plan is to do it on week 24 when visiting my client next time. Is this all right (or do I need to set up my own test environment)?

Kaarle,

I think that will be fine. The procedure lists the limit as six months. I appreciate your help in getting this update included in Lucid. Please let us know when you've got the fix verified.

I did some testing yesterday with the proposed package, and everything seems to work fine.

Thanks for testing Kaarle, we'll release this to lucid-updates soon.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package ipsec-tools - 1:0.7.1-1.6ubuntu1.1

---------------
ipsec-tools (1:0.7.1-1.6ubuntu1.1) lucid-proposed; urgency=low

  * src/racoon/handler.c: fix phase 2 negotiation (LP: #947309).
    - Patch from upstream CVS revisions 1.31 and 1.32.
    - Fixes Vista and Windows 7 client support.
 -- Robie Basak <email address hidden> Fri, 09 Mar 2012 19:01:04 +0000