Racoon 0.7 fails with address already in use

Description of problem:
Several bugs in latest ipsec-tools-0.7 prevent successful use as
a remote-access (road-warrior) client to a Cisco ASA 5500 vpn concentrator.

Attached are three patches which were also submitted to the upstream mailing
list which fix this problem.

Also attached are some packaging improvements: a phase1 mode config script,
an init script for the racoon daemon, and patches for the spec file to
incorporate the above mentioned patches and scripts.

Version-Release number of selected component (if applicable):
0.7

How reproducible:

Attempt to connect to a Cisco ASA in remote-access client mode with racoon.

Steps to Reproduce:
1. Configure racoon to connect to a Cisco ASA as suggested in the enclosed
racoon.conf example.
2. Start racoon daemon
3. run 'racoonctl vc <IP-of-Cisco-ASA>

Actual results:

vpn session fails to be established

Expected results:

successfully establish a vpn session

Additional info:

uploading tarball with the following content:

ipsec-tools.spec.diff changes to spec file
racoon.conf.diff changes to included config.file
ipsec-tools-0.7-cvs-dupmode.patch patch to handle dupe mode config packets
ipsec-tools-0.7-cvs-dupsplit.patch patch to handle dupe split networks
ipsec-tools-0.7-cvs-iface.patch patch to set SO_REUSEADDR on sockets
p1_up_down phase1 mode config script
racoon.init init script for racoon daemon

Created attachment 184001
contents of file described in 'additional info' section of original report

Everything except the dupmode patch has been put into rawhide. The dupmode patch
wasn't accepted by upstream, but the others were.

This bz is now just for the dupmode patch, the others have been added. I'm going
to set this as needinfo from the reporter, and when upstream has resolved the
patch, please set it back to me.

Thanks.

Turns out the dupmode patch is unnecessary. We can work around that problem
by simply having the phase1_up script check for a previous execution (i.e.,
whether the private VPN address has already been configured on the default
network interface).

I'm uploading a new version of the p1_up_down script which contains this check.

The ipsec-tools maintainers also took issue with the ipcalc-based conversion of
dotted-quad netmask into CIDR notation, and a patch (also uploaded) was applied
to CVS which supplies the phase1 script with a list of split networks directly
in CIDR notation.

Created attachment 232941
fixed roadwarrior phase1 script

new script now checks for an already completed previous phase1_up execution
also eliminated conversion from dotted quad netmask to cidr notation as
that functionality is being directly offered by racoon

Created attachment 232951
offer list of split networks in CIDR notation to phase1 scripts

this is already in CVS, and is also required by fixed phase1 p1_up_down script

I'm sorry, I meant to get this change in with otehr recent patches. It's in
rawhide now, as after that's tested a bit I'll put it in F-8 also.

ipsec-tools-0.7-8.fc8 has been submitted as an update for Fedora 8

ipsec-tools-0.7-8.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with
 su -c 'yum --enablerepo=updates-testing update ipsec-tools'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2661

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

ipsec-tools-0.7.1-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-5.fc8

ipsec-tools-0.7.1-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.