Bug 1375776

Summary: [IKEv2 Conformance] Test IKEv2.EN.R.1.2.2.1: Receipt of retransmitted CREATE_CHILD_SA reques failed
Product: Red Hat Enterprise Linux 7 Reporter: Jianwen Ji <jiji>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Jianwen Ji <jiji>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: jiji, omoris, pwouters, stanpao
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libreswan-3.23-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:22:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
libreswan-3.15-6.pcap none

Description Jianwen Ji 2016-09-14 02:40:54 UTC 
Created attachment 1200717 [details]
libreswan-3.15-6.pcap

Test case link:
Test IKEv2.EN.R.1.2.2.1, Page 458 at
https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf

Purpose: 
To verify an IKEv2 device retransmits CREA TE_CHILD_SA request using properly Header and Payloads format 

References: 
[RFC 4306] - Sections 2.1, 2.2 and 2.4 

   NUT             TN1 
(End-Node)      (End-Node) 
 |             | 
 |<------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) 
 |             | (Packet #1) 
 |------------>| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
 |             | (Judgment #1) 
 |             | 
 |<------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr}) 
 |             | (Packet #2) 
 |------------>| IKE_AUTH response (HDR, SK {IDr, AUTH, N+, SAr2, TSi, TSr}) 
 |             | (Judgment #2) 
 |             | 
 |<------------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr}) 
 |             | (Packet #3) 
 |------------>| CREATE_CHILD_SA response (HDR, SK {N, N+, SA, Nr, TSi,TSr})    
 |             | (Judgment #3) 
 |             | 
 |             * wait until retrans timer expires 
 |-------X     | CREATE_CHILD_SA response (HDR, SK {N, N+, SA, Nr, TSi, TSr}) 
 |             | (Judgment #4) 
 |             | 
 |<------------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr}) 
 |             | (Packet #4) 
 |------------>| CREATE_CHILD_SA response (HDR, SK {N, N+, SA, Nr, TSi, TSr}) 
 |             | (Judgment #5) 
 |             | 
 V             V 
N: REKEY_SA 
N+: USE_TRANSPORT_MODE 

Version-Release number of selected component (if applicable):
libreswan-3.15-6.el7.x86_64

How reproducible:
always


Actual results:
Failed at Judgement #5

During the test, the device successfully completes the IKE_SA_INIT and IKE_AUTH exchanges. After receiving the retransmitted CREATE_CHILD_SA request, the device transmits a IKE_SA_INIT response.

Expected results:
The device should have only retransmitted a CREATE_CHILD_SA response after
receiving a retransmitted CREATE_CHILD_SA request.

Additional info:
Comment 25 Ondrej Moriš 2018-01-28 13:14:44 UTC 
Jianwen, is it possible to re-test this with latest version of libreswan (libreswan-3.23-1.el7)?
Comment 27 Paul Wouters 2018-01-29 15:54:59 UTC 
thanks for testing!
Comment 30 errata-xmlrpc 2018-04-10 17:22:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0932
Comment 31 stan pao 2019-10-18 07:20:59 UTC 
sorry to comment again. this bug only happens under ipv6?