Bug 1574939

Summary: IKEv2 VPN connections fail to use DNS servers provided by the server
Product: [Fedora] Fedora Reporter: Marian Kechlibar <marian.kechlibar>
Component: strongswanAssignee: Pavel Šimerda <code>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 28CC: assen, avagarwa, code, goodmirek, mail, mikhail.zabaluev, pwouters, sspreitz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-06 05:26:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marian Kechlibar 2018-05-04 11:47:43 UTC
Fedora 28, strongswan-5.6.2-2.

Upon connecting to a IKEv2 VPN gateway, charon-nm fails to parse the provided DNS addresses correctly and fills in random garbage. As a result, no server names in the private network can be resolved.

This is a known problem fixed by a specific patch in the 5.6.2 version, but the patch seems to be forgotten/omitted during build of the Fedora RPM.

The following one-liner should fix the problem.

https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ee8c2551

Comment 1 Pavel Šimerda 2018-05-04 12:00:45 UTC
(In reply to Marian Kechlibar from comment #0)
> the patch seems to be forgotten/omitted during build of the Fedora RPM.

What do you mean by forgotten/omitted during build?

Comment 2 Marian Kechlibar 2018-05-04 12:03:17 UTC
(In reply to Pavel (pavlix) Šimerda from comment #1)
> (In reply to Marian Kechlibar from comment #0)
> > the patch seems to be forgotten/omitted during build of the Fedora RPM.
> 
> What do you mean by forgotten/omitted during build?

I mean that charon-nm behaves exactly as expected if the patch was not there. I haven't checked the actual Fedora sources, though. I definitely did not mean to attribute any guilt to anyone or so.

BTW Ubuntu 18.04 has precisely the same problem. In Debian the RPM was already patched.

Comment 3 Pavel Šimerda 2018-05-04 12:06:08 UTC
No problem.

Comment 4 Assen Totin 2018-05-08 22:34:14 UTC
Absolutely confirming the bug. After F27->F28 upgrade all previously working IPSec VPNs are broken this very way. Why is this big still "NEW"? When to expect a fix?

Comment 5 Marian Kechlibar 2018-05-09 08:11:13 UTC
I was able to fix the problem on my computer by downloading the source RPM, extracting it, patching the faulty line (it is indeed a one-liner), recompiling the RPM from the patched source and reinstalling the patched package. That is beyond a typical user's ability, though.

Pavlix asked me to join a special IIRC channel and submit a Pull request, I will do so when I find the necessary time, probably tomorrow.

Comment 6 Mirek Svoboda 2018-05-25 07:16:20 UTC
*** Bug 1564529 has been marked as a duplicate of this bug. ***

Comment 7 Mirek Svoboda 2018-05-25 07:28:42 UTC
I confirm that the build [strongswan-5.6.2-6.fc28](https://bodhi.fedoraproject.org/updates/FEDORA-2018-3731a89e20) fixes this issue.

Comment 8 Mikhail Zabaluev 2018-10-06 05:26:46 UTC
Fixed since strongswan-5.6.2-6.