Bug 1163422
| Summary: | L2TP tunnels no longer work after openswan upgrade | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | MikeH <mjh> | ||||
| Component: | openswan | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.6 | CC: | kheal, mjh, papun.dekl, vcojot, vincent | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-04-07 20:51:25 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
MikeH
2014-11-12 16:45:09 UTC
For reference, could you try this with libreswan-3.12 ? Upstream has signed rpms at download.libreswan.org/binaries/ ISAKMP_NEXT_SAK has the value that used to be assigned a LONG time ago to the NAT-T drafts. We called it BAD_NAT_DRAFTS. Support for it was removed and then re-added. It seems that perhaps openswan is missing part of a backport for this. I tried it with libreswan-3.12 (though I had to use rpm --nodeps to remove openswan because I have a package that depends on it -- any way around that?) and it worked just fine (i.e., IPSEC tunnels were established and an L2TP connection from Mac OS X worked). I've re-installed openswan (so my RPM database isn't corrupted) and will await an updated openswan version. Thanks! Created attachment 961301 [details]
ignore isakmp_next_sak as it is (ab)used by OSX for NAT-T payload
I created a scratch build for you to test: ftp://ftp.nohats.ca/openswan-2.6.32-37.el6_6.i686.rpm Let me know if that fixes your issue? Thanks, but unfortunately that hasn't solved the issue. I now see: ... Nov 25 13:07:41 <HOST> pluto[12472]: "l2tp-psk"[1] <IP> #10: message with unsupported payload ISAKMP_NEXT_SAK (as ISAKMP_NEXT_NATD_BADDRAFTS) ignored Nov 25 13:07:41 <HOST> pluto[12472]: "l2tp-psk"[1] <IP> #10: ASSERTION FAILED at /builddir/build/BUILD/openswan-2.6.32/programs/pluto/ikev1.c:1782: sd != NULL ... I'm guessing that assertion failure is a deal breaker (the Mac OS X client fails to connect). The iphones and ipads are unable to connect too. Please try to solve this as soon as possible. Thanks a lot. Hi, I started digging into VPN's on EL6.6 just a few weeks ago. After struggling to work with OSX clients, I found this thread and I can confirm that the openswan downgrade makes it work (been trying for days). Here's more information: - RHEL6.6, fully patched (as of 2014/12/12). sure enough, with the latest openswan rpm ( openswan-2.6.32-37.el6 ), OSX clients cannot connect and I see this in pluto.log: "L2TP-PSK-noNAT"[2] A.B.C.D #3: sending notification INVALID_PAYLOAD_TYPE to X.Y.Z.D:500 "L2TP-PSK-noNAT"[2] A.B.C.D #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level - Workaround: yum_rhel.sh downgrade -y openswan-2.6.32-27.2.el6_5 @RH: Should we open a case with RH support? NB: Android phones can connect just fine with either version. @MikeH: I stumbled on this debian-related discussion where a simple patch was provided: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744717 I'm currently rebuilding the latest RH rpm with that patch and I'll see how it goes.. I've posted my rpms there: http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6 http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/i386 http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/i386/openswan-2.6.32-37.1.el6.i686.rpm http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/i386/openswan-debuginfo-2.6.32-37.1.el6.i686.rpm http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/i386/openswan-doc-2.6.32-37.1.el6.i686.rpm http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/noarch http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/SRPMS http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/SRPMS/openswan-2.6.32-37.1.el6.src.rpm http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/x86_64 http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/x86_64/openswan-2.6.32-37.1.el6.x86_64.rpm http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/x86_64/openswan-debuginfo-2.6.32-37.1.el6.x86_64.rpm http://step.polymtl.ca/~coyote/dist/openswan/openswan-2.6.32/RHEL6/x86_64/openswan-doc-2.6.32-37.1.el6.x86_64.rpm I can only test this later as I don't have an OSX box handy today.. Regards, Vincent @Vincent: I downloaded and tested the RPM that you built and verified that an L2TP tunnel can be established from OSX. Thanks. Any chance we can get that patch into an official release? Thanks, Mike. Have also faced the same issue with CentOS 6.7 and Max OS X 10.11.1. Vincents rpm fixed the issue -- many thanks for this. I'd also like to voice my support for bringing this change into the standard release as I fear many other admins will be sent grey by this issue otherwise. this was merged in via a revised #1114683 *** This bug has been marked as a duplicate of bug 1114683 *** The errata provided package has the bug described here. It is thus not a fix for this issue. |