Wind River Support Network

HomeDefectsLIN6-8716
Fixed

LIN6-8716 : CLONE - wrl 4.3 / Racoon IPsec overlapping rules with different port

Created: Nov 10, 2014    Updated: Dec 3, 2018
Resolved Date: Nov 10, 2014
Previous ID: LIN4-31927
Found In Version: 6.0
Fix Version: 6.0.0.14
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Userspace

Description

issue found in ipsec-tools/racoon: 

When we add an overlapping IPSec Rule in which one rule is with any port(with default value) and another rule is with specific port(for example 45000) and that time we have seen raccoon was reporting error. Below is the error.
 
Sep 16 10:32:54.463115 info CLA-0 IPSec: Racoon: sending SIGHUP to racoon pid  3396
Sep 16 10:32:54.463842 info CLA-0 racoon: 2014-09-16 10:32:54: ERROR: /etc/ipsec/0/ike1//racoon.conf:67: "}" duplicated sainfo: loc='100.2.0.0/24', rmt='200.2.0.0/24', peer='ANY', id=0
Sep 16 10:32:54.463842 info CLA-0 racoon: 2014-09-16 10:32:54: ERROR: fatal parse failure (1 errors)
Sep 16 10:32:54.463887 info CLA-0 racoon: 2014-09-16 10:32:54: ERROR: config reload failed
Sep 16 10:32:54.729638 info CLA-0 racoon: 2014-09-16 10:32:54: INFO: respond new phase 2 negotiation: 70.3.3.2[500]<=>102.102.102.2[500]
Sep 16 10:32:54.729863 info CLA-0 racoon: 2014-09-16 10:32:54: INFO: respond new phase 2 negotiation: 80.3.3.2[500]<=>202.202.202.2[500]
 
Due to this configuration was not coming up as it supposed to be.

Steps to Reproduce

We have tried following scenario as well to check this.

    Both overlapping rules are have some specific but different port.--- result error
    Both overlapping rules are on same vpn. --- result error
    Both overlapping rules are on different vpn. --- result error

 
Here is the entry in racoon.conf after addition.
 
sainfo subnet 70.100.100.0/24 any subnet 60.200.200.0/24 any
{
        lifetime time 10000 secs;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        encapdscp on;
}
sainfo subnet 70.100.100.0/24 [45000] any subnet 60.200.200.0/24 [45000] any
{
        lifetime time 10000 secs;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        encapdscp on;
}
 
It seems this is not considering port number to differentiate the rules. In case of ikev2 we have not seen this issue.
 
Ipsec-tool version.
ipsec-tools-0.8.0-1_WR4.3.x86_64

Other Downloads

Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube