Debian Bug report logs - #289604
racoon sources isakmp replies from incorrect address

version graph

Package: racoon; Maintainer for racoon is Matthew Grant <matthewgrant5@gmail.com>; Source for racoon is src:ipsec-tools.

Reported by: michael@metaparadigm.com

Date: Mon, 10 Jan 2005 01:33:03 UTC

Severity: normal

Tags: patch

Found in version 0.3.3-5

Fixed in version ipsec-tools/0.4999pre0.5rc2-1

Done: Ganesan Rajagopal <rganesan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Grant <grantma@anathoth.gen.nz>:
Bug#289604; Package racoon. Full text and rfc822 format available.

Acknowledgement sent to michael@metaparadigm.com:
New Bug report received and forwarded. Copy sent to Matthew Grant <grantma@anathoth.gen.nz>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Clark <michael@metaparadigm.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: racoon sources isakmp replies from incorrect address
Date: Mon, 10 Jan 2005 09:22:09 +0800
[Message part 1 (text/plain, inline)]
Package: racoon
Version: 0.3.3-5
Severity: normal
Tags: patch

I have a 2 firewall HA setup with a floating gateway address (ip alias).

I use the listen directive to get racoon to specifically bind isakmp to 
the floating gateway address. racoon binds correctly to this address as
verified by lsof although isakmp replies are still sourced incorrectly 
from the interface base address.

Looking at sendfromto in sockmisc.c I found that the isakmp socket send 
code *tries* to override the default send address using the IP_PKTINFO 
sendmsg message header.

It appears the purpose of this code is to make replies send out on the 
same interface and address of the system for which the original packet 
was recieved (overriding the routing policy of the administrator 
as asymetric routing could be the intended policy). I'm not sure why it 
diverges from the FreeBSD behaviour of a plain sendto as this would 
select the correct source address and interface as this i've verified 
this works correctly (asside from source address selection bugs in
some ancient test kernels), although this is an upstream issue.

Anyway. I've identified the code in question has a bug in its
explicit setting of the source address in the IP_PKTINFO structure. 

When IP_PKTINFO is used with sendmsg, the ipi_dst_spec field is used to 
specify the source address and the ipi_addr field is ignored. This can
be verfied by looking at the kernel sources:

linux-2.6.8.1/net/ipv4/ip_sockglue.c:ip_cmsg_send():170

In effect the code explicitly overrides a correct source address 
with IPADDR_ANY (by omitting to set the correct field) making packets 
source instead from the base address of the interface.

Setting the correct field fixes my problem and the packets are now
sourced from the correct address (the address of the bound socket) 
making racoon usable in my heartbeat HA failover setup with a floating 
gateway address. Both fields are set as is current practice for code
i've found using IP_PKTINFO to set the source address (as perhaps some
kernels may interpret the other field).

Patch attached and tested on production system.

Please apply (it would be nice to keep my sarge firewall stock and this 
is the only problem package needing a custom build).

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages racoon depends on:
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  ipsec-tools                 0.3.3-5      IPsec tools for Linux
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an

-- debconf information:
* racoon/config_mode: racoon-tool
[racoon-isakmp-srcaddr.patch (text/plain, attachment)]

Reply sent to Ganesan Rajagopal <rganesan@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to michael@metaparadigm.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 289604-close@bugs.debian.org (full text, mbox):

From: Ganesan Rajagopal <rganesan@debian.org>
To: 289604-close@bugs.debian.org
Subject: Bug#289604: fixed in ipsec-tools 0.4999pre0.5rc2-1
Date: Sat, 12 Feb 2005 23:02:09 -0500
Source: ipsec-tools
Source-Version: 0.4999pre0.5rc2-1

We believe that the bug you reported is fixed in the latest version of
ipsec-tools, which is due to be installed in the Debian FTP archive:

ipsec-tools_0.4999pre0.5rc2-1.diff.gz
  to pool/main/i/ipsec-tools/ipsec-tools_0.4999pre0.5rc2-1.diff.gz
ipsec-tools_0.4999pre0.5rc2-1.dsc
  to pool/main/i/ipsec-tools/ipsec-tools_0.4999pre0.5rc2-1.dsc
ipsec-tools_0.4999pre0.5rc2-1_i386.deb
  to pool/main/i/ipsec-tools/ipsec-tools_0.4999pre0.5rc2-1_i386.deb
ipsec-tools_0.4999pre0.5rc2.orig.tar.gz
  to pool/main/i/ipsec-tools/ipsec-tools_0.4999pre0.5rc2.orig.tar.gz
racoon_0.4999pre0.5rc2-1_i386.deb
  to pool/main/i/ipsec-tools/racoon_0.4999pre0.5rc2-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289604@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ganesan Rajagopal <rganesan@debian.org> (supplier of updated ipsec-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  1 Feb 2005 13:55:37 +0530
Source: ipsec-tools
Binary: racoon ipsec-tools
Architecture: source i386
Version: 0.4999pre0.5rc2-1
Distribution: unstable
Urgency: low
Maintainer: Ganesan Rajagopal <rganesan@debian.org>
Changed-By: Ganesan Rajagopal <rganesan@debian.org>
Description: 
 ipsec-tools - IPsec tools for Linux
 racoon     - IPsec IKE keying daemon
Closes: 238795 255124 276854 289604 292850
Changes: 
 ipsec-tools (0.4999pre0.5rc2-1) unstable; urgency=low
 .
   * New upstream release.
   * Redone packaging using debhelper.
   * Upstream supports Linux fwd policy (closes: #292850).
   * Source address patch applied upstream (closes: #289604).
   * Enabled NATT support (closes: #238795).
   * Removed empty racoon.conf (closes: #255124).
   * Fixed paths in man pages (closes: #276854).
Files: 
 b7b341abc25b653ea2d5324eb231efc2 635 net extra ipsec-tools_0.4999pre0.5rc2-1.dsc
 95f371607babb8b2e9195da90797b52b 883614 net extra ipsec-tools_0.4999pre0.5rc2.orig.tar.gz
 3a9edadda9be99598deaf2fee9174790 39162 net extra ipsec-tools_0.4999pre0.5rc2-1.diff.gz
 5fff05dc4d111627330c1a6100bf410e 76172 net extra ipsec-tools_0.4999pre0.5rc2-1_i386.deb
 3ad111151e4957f3054f7e14b9a1b87d 277400 net extra racoon_0.4999pre0.5rc2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB/0gnFeACul2MEuoRArJWAKCxT+NPgRQwr3+HITchY/JXIfmffQCg24rz
DftDHCSRPZRkQ/IspSrJYs4=
=WivV
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:57:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.