Bug 1105171

Summary:	Libreswan doesn't work with some ike options.
Product:	Red Hat Enterprise Linux 7	Reporter:	Jaroslav Aster <jaster>
Component:	libreswan	Assignee:	Paul Wouters <pwouters>
Status:	CLOSED ERRATA	QA Contact:	Jaroslav Aster <jaster>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	amarecek, pwouters
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	730975	Environment:
Last Closed:	2015-03-05 10:22:26 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	730975
Bug Blocks:

Description Jaroslav Aster 2014-06-05 13:54:23 UTC

libreswan has exactly the same behaviour as openswan. I tested it in rhel7 and I used libreswan-3.8-5.el7.

+++ This bug was initially created as a clone of Bug #730975 +++

Description of problem:
Openswan doesn't work with ike=modp1536 option, which is suggested as one of examples in manual pages of ipsec.conf.

Version-Release number of selected component (if applicable):
openswan-2.6.32-4.el6_1.1

How reproducible:
always

Steps to Reproduce:
1.cp ipsec.conf /etc/ipsec.conf

version    2.0

config setup
    protostack=netkey
    nat_traversal=yes
    plutostderrlog=/var/log/pluto.log

conn testA
        auto=add
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=modp1536
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes


2.cp ipsec.secrets /etc/ipsec.secrets

: PSK "whatever"


3.ip xfrm state flush
4.service ipsec restart
5.ipsec auto --up testA
6.ip xfrm state
  
Actual results of ipsec auto --up testA:

000 initiating all conns with alias='testA' 
021 no connection named "testA"

Expected results:
Succesfully create an IPsec connection

Additional info:
I have checked output of tcpdump, packets are unencrypted.


--- Additional comment from Jaroslav Aster on 2014-06-05 07:48:32 EDT ---

Hi,

I can confirm it and then I did some tests and found out that there is something wrong in parsing ike option. A lot of more things do not work and end with same error.

example:


1, all alone dh

ike=modp1536 # fail
ike=dh22 # fail
ike=dh23 # fail
ike=dh24 # fail
...

2, all alone hash

ike=md5 # fail
ike=sha1 # fail

3, mix dh and hash

ike=md5;dh22 # fail
ike=sha1;modp1024 # fail
...

4, 

ike=aes-md5;dh22,modp1024 # fail

Man pages says that it should be possible to set these values, ike=modp1536 is as an example in man page ipsec.conf.

It seems only values from right can miss.

ike=aes-md5;dh22,3des # pass
ike=aes-md5,3des # pass
ike=aes,3des # pass

Comment 1 Paul Wouters 2014-07-04 01:05:33 UTC

fixed in upstream 3.9 (man page entry no longer allows specifying only a modp group) - will come in via the rebase

Comment 2 Paul Wouters 2014-10-24 04:09:30 UTC

This is already fixed in 3.9

Comment 3 Jaroslav Aster 2014-11-11 14:41:00 UTC

Hi Paul,

I can still see it in man page ipsec.conf in the latest libreswan's build for rhel7. So, it is not fixed.

# rpm -q libreswan
libreswan-3.12-1.el7.x86_64

# man ipsec.conf | col -b | grep 'ike=modp1536'
           ike=aes128-sha1;dh22, ike=3des-md5;modp1024,aes-sha1;modp1536 or ike=modp1536. The options must be suitable as a value of ipsec_spi(8)'s --ike option. The default is to

Comment 4 Paul Wouters 2014-12-03 14:42:19 UTC

It seemed to have appeared in two places :/

I just fixed the ipsec.conf ike.xml files upstream and regenerated the man page, so it will be correct in 3.13.

Comment 9 Jaroslav Aster 2015-01-06 09:04:59 UTC

VERIFIED: /CoreOS/openswan/Sanity/bz730975-Openswan-doesn-t-work-with-ike-modp1536-option

libreswan-3.12-4.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'grep 'ike=modp1536' /tmp/tmp.NTD3DD0ZNo' (Expected 1, got 1)
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: Test


libreswan-3.8-5.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Command 'grep 'ike=modp1536' /tmp/tmp.ARNu1dfr9s' (Expected 1, got 0)
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 0 good, 1 bad
:: [   FAIL   ] :: RESULT: Test

Comment 11 errata-xmlrpc 2015-03-05 10:22:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0431.html