[Bug 947309] Re: racoon phase 2 negotiation fails with Win Vista/7

Robie Basak 947309 at bugs.launchpad.net
Tue Apr 10 08:42:46 UTC 2012 

** Patch added: "ipsec-tools.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/947309/+attachment/3039038/+files/ipsec-tools.debdiff

** Description changed:

+ SRU JUSTIFICATION
+ 
+ [Impact]
+ 
+ Use for interoperability with other VPN systems including use as a VPN
+ concentrator is a major use case for ipsec-tools. A large number of
+ users have Windows clients. This bug in ipsec-tools causes unreliable
+ interoperability between Ubuntu and the Windows Vista and 7 VPN clients.
+ 
+ [Development Fix]
+ 
+ Fixed in upstream CVS, src/racoon/handler.c revisions 1.31 and 1.32 (see
+ http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-
+ tools/src/racoon/handler.c?only_with_tag=MAIN). This fix went into
+ upstream 0.8. Precise is at 1:0.8.0-9ubuntu1 so already includes this
+ fix.
+ 
+ [Stable Fix]
+ 
+ See debdiff, attached.
+ 
+ [Test Case]
+ 
+ From http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246,
+ with thanks to Loren M. Lang:
+ 
+ A specific, repeatable test case I was using is as follows.  Restart
+ racoon daemon on Linux server.  Initiate L2TP VPN connection on Windows
+ 7 (while on same subnet as Linux server.)  Verify VPN is working with
+ ping from server.  First attempt is always successful.  Disconnect VPN.
+ Racoon reports ISAKMP-SA deleted.  Reconnect and VPN hangs negotiating
+ phase 2.  Last message from racoon reports ISAKMP-SA established.
+ Initiate L2TP VPN from a separate Windows XP computer also on the same
+ subnet as the Linux server.  Verify VPN connection with ping from Linux
+ and disconnect VPN.  Repeat a second time and it still successful on XP.
+ Make sure VPN is disconnected on XP and make a third attempt at VPN on
+ Windows 7.  It still fails like the second attempt.
+ 
+ [Regression Potential]
+ 
+ Upstream have been carrying this fix for over two years, and the fix is
+ still present in upstream CVS HEAD. The original reporter has confirmed
+ that this fix works without issues. Thus the potential for regressions
+ is minimal.
+ 
+ 
+ ORIGINAL REPORT
+ 
  Ubuntu release: 10.04
  racoon package version: 1:0.7.1-1.6ubuntu1
  
  IKE phase 2 negotiation fails with Windows Vista/7 L2TP clients if there
  already is a non-expired ESP SA for that client, created for the
  previous session. See the discussion here:
  
  http://comments.gmane.org/gmane.network.ipsec.tools.devel/2246
  
  The suggested correction is to update racoon to version 0.8.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ipsec-tools in Ubuntu.
https://bugs.launchpad.net/bugs/947309

Title:
  racoon phase 2 negotiation fails with Win Vista/7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipsec-tools/+bug/947309/+subscriptions

More information about the Ubuntu-server-bugs mailing list