Bug#507542: marked as done (strongswan: endless loop)

Tue, 09 Dec 2008 03:20:02 -0800 

Your message dated Tue, 09 Dec 2008 10:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#507542: fixed in strongswan 4.2.9-1
has caused the Debian Bug report #507542,
regarding strongswan: endless loop
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
507542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507542
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: strongswan
Version: 4.2.4-5
Severity: normal


This is strange situation caused by unknown reason. I have configured simple
and symmetric site to site tunnel like this:

conn %default
        ikelifetime = 15m
        keylife     = 5m
        rekeymargin = 1m
        keyingtries = 1


conn SUN-MOON
        leftcert      = sunCert.pem
        left          = 192.168.1.1
        leftsubnet    = 192.168.2.0/24
        rightcert     = moonCert.pem
        right         = 192.168.3.1
        rightsubnet   = 192.168.4.0/24
        keyexchange   = ikev2
        auto          = start

The similar configuration is on the other side. There are no problem when
connection initiating from one side of tunnel and VPN are working fine. But if
it is originated from other side, the following scenario are rolling up. At the
first time ipsec started, the tunnel is build and working as should. It is
successfully rekeying few times with keylife period. But when  ikelifetime
expired, the tunnel destroyed and rebuild again repeatedly in the endless loop.
Analyzing the syslog I have found the only difference between two side in the
strange message:

charon: 08[IKE] reauthenticating IKE_SA due address change

If this means ip address then it is not true: no address changed. I have tried
to reproduce this situation on the virtual machines with most close network
configuration without success. Changing interfaces and firewall and default
route has no effect.  Adding mobike = no to config cause this endless loop
immediately after ipsec starting up. I can't find the source of problem.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/bash

Versions of packages strongswan depends on:
ii  bsdmainutils              6.1.10         collection of more utilities from 
ii  debconf [debconf-2.0]     1.5.24         Debian configuration management sy
ii  debianutils               2.30           Miscellaneous utilities specific t
ii  host                      20000331-9     utility for querying DNS servers
ii  iproute                   20080725-2     networking and traffic control too
ii  ipsec-tools               1:0.7.1-1.2    IPsec tools for Linux
ii  libc6                     2.7-16         GNU C Library: Shared libraries
ii  libgmp3c2                 2:4.2.2+dfsg-3 Multiprecision arithmetic library
ii  libldap-2.4-2             2.4.11-1       OpenLDAP libraries
ii  libssl0.9.8               0.9.8g-14      SSL shared libraries
ii  openssl                   0.9.8g-14      Secure Socket Layer (SSL) binary a

strongswan recommends no packages.

Versions of packages strongswan suggests:
ii  curl                          7.18.2-7   Get a file from an HTTP, HTTPS or 

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
Source: strongswan
Source-Version: 4.2.9-1

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive:

strongswan_4.2.9-1.diff.gz
  to pool/main/s/strongswan/strongswan_4.2.9-1.diff.gz
strongswan_4.2.9-1.dsc
  to pool/main/s/strongswan/strongswan_4.2.9-1.dsc
strongswan_4.2.9-1_i386.deb
  to pool/main/s/strongswan/strongswan_4.2.9-1_i386.deb
strongswan_4.2.9.orig.tar.gz
  to pool/main/s/strongswan/strongswan_4.2.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Mayrhofer <[EMAIL PROTECTED]> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 05 Dec 2008 17:21:42 +0100
Source: strongswan
Binary: strongswan
Architecture: source i386
Version: 4.2.9-1
Distribution: unstable
Urgency: low
Maintainer: Rene Mayrhofer <[EMAIL PROTECTED]>
Changed-By: Rene Mayrhofer <[EMAIL PROTECTED]>
Description: 
 strongswan - IPSec utilities for strongSwan
Closes: 497756 507542
Changes: 
 strongswan (4.2.9-1) unstable; urgency=low
 .
   * New upstream release, fixes a MOBIKE issue.
     Closes: #507542: strongswan: endless loop
   * Explicitly enable compilation with libcurl for CRL fetching
     Closes: #497756: strongswan: not compiled with curl support; crl
                      fetching not available
   * Enable compilation with SSH agent support.
Checksums-Sha1: 
 0019fbf1ad7e1c6922cbf8693e2a8db2b547ac13 1282 strongswan_4.2.9-1.dsc
 8a3f7d7037678b958e6b944fde4b91a7eb03ba65 3911581 strongswan_4.2.9.orig.tar.gz
 7503ebb5019502e3bf1643028127e618c845a2bc 57155 strongswan_4.2.9-1.diff.gz
 2df7998ff7a06256b6cab4eefbfc78bdf06b0e79 1170370 strongswan_4.2.9-1_i386.deb
Checksums-Sha256: 
 4770f372da511eb2818309223af63fe9d48b3f5d96e130704723cc769e135721 1282 
strongswan_4.2.9-1.dsc
 e90e5155fa311c51050613a6c707fe8cf17d292ba216fcaedb47f8b9f857b500 3911581 
strongswan_4.2.9.orig.tar.gz
 6a9c32f186cd989f816579a80390c6f71169723958e4999053c5a3747d23fad2 57155 
strongswan_4.2.9-1.diff.gz
 18cd482a47044672b06e7bf3e91ec86378278eb29f5481471199603ff1d18886 1170370 
strongswan_4.2.9-1_i386.deb
Files: 
 d039d90c2460307214c5d8bd2154f887 1282 net optional strongswan_4.2.9-1.dsc
 ec82f7e2890d44a7720670ecedd797db 3911581 net optional 
strongswan_4.2.9.orig.tar.gz
 bd8cb88b2f115d035c781d3eaab1ea2c 57155 net optional strongswan_4.2.9-1.diff.gz
 ba05abd2cc00406fbb5880e85adc6c81 1170370 net optional 
strongswan_4.2.9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk6z8wACgkQq7SPDcPCS97pqgCfWgeXP4g35aEkmx6EIvK9I0zM
fBgAoK09557k/J26pOYz2TjCngHh84SY
=NF6t
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to