Received: with ECARTIS (v1.0.0; list netdev); Mon, 31 Jan 2005 08:32:06 -0800 (PST) Received: from mail.osdl.org (fw.osdl.org [65.172.181.6]) by oss.sgi.com (8.13.0/8.13.0) with ESMTP id j0VGVxRn006428 for ; Mon, 31 Jan 2005 08:32:00 -0800 Received: from dxpl.pdx.osdl.net (dxpl.pdx.osdl.net [172.20.1.103]) by mail.osdl.org (8.11.6/8.11.6) with ESMTP id j0VGVsl13684 for ; Mon, 31 Jan 2005 08:31:54 -0800 Date: Mon, 31 Jan 2005 08:32:02 -0800 From: Stephen Hemminger To: netdev@oss.sgi.com Subject: Fw: [Bug 4133] New: ipsec with automatic SA-generation; first connect fails Message-ID: <20050131083202.0606fbc2@dxpl.pdx.osdl.net> Organization: Open Source Development Lab X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; x86_64-unknown-linux-gnu) X-Face: &@E+xe?c%:&e4D{>f1O<&U>2qwRREG5!}7R4;D<"NO^UI2mJ[eEOA2*3>(`Th.yP,VDPo9$ /`~cw![cmj~~jWe?AHY7D1S+\}5brN0k*NE?pPh_'_d>6;XGG[\KDRViCfumZT3@[ Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.80/650/Sun Jan 2 19:00:02 2005 clamav-milter version 0.80j on 127.0.0.1 X-Virus-Status: Clean X-archive-position: 1099 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: shemminger@osdl.org Precedence: bulk X-list: netdev Content-Length: 2388 Lines: 59 Begin forwarded message: Date: Sun, 30 Jan 2005 05:12:49 -0800 From: bugme-daemon@osdl.org To: shemminger@osdl.org Subject: [Bug 4133] New: ipsec with automatic SA-generation; first connect fails http://bugme.osdl.org/show_bug.cgi?id=4133 Summary: ipsec with automatic SA-generation; first connect fails Kernel Version: version 2.6.7 (gcc-Version 3.3.4 (Debian 1:3.3.4- 6sarge1)) Status: NEW Severity: normal Owner: shemminger@osdl.org Submitter: werner.baumann@onlinehome.de Distribution: Debian GNU/Linux Sarge Hardware Environment: AMD Athlon Software Environment: libc-2.3.2.so, KAME IPSec-Tools (setkey and racoon) Problem Description: When configuring IPSec with automatic SA-establishment by racoon (or any other IKE-daemon), as long as the SA is not established, the first attempt to connect fails, while the SA is established after this correctly. The second attempt is successfull. But meanwhile most aplications inform the user, that there is something wrong with the connection. So the user will not try again, but maybe instead will mix up his configuration. Steps to reproduce: - configure a Security Policy for connections to some peer (on both sides) - configure racoon to establish SAs for this policy and start racoon - try to connect (using telnet or some other application) - connection will fail with some error-message "temporarily unavailable" or even "connection refused" - try again and the connection will succed (SA is established as displayed by setkey -D) I also tried a simple connect-Programm: it showed that the first call to the connect()-function fails with errno EAGAIN. Allthough this errno seems quiet reasonable to me, most applications don't try AGAIN, but instead confuse the user. I think it would be desirable that the call to connect() would not fail, but instead be delayed until the SA is established. Only if this is not possible within some timeout, connect() should fail. I think this behaviour would also better math RFC 2401, 5.1 Outbound IP Traffic Processing, especially 5.1.1 I don't know whether this is an issue of kernel or just of glibc. Thanks for kernel-ipsec anyway Werner ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. -- Stephen Hemminger