Bug 363521

Summary: TAHI--IPSECv6--SGW Tunnel Mode ESP 3DES-CBC with HMAC-SHA1 authentication, NUT cannot Set SPD entries
Product: Red Hat Enterprise Linux 5 Reporter: Zhiyong Wu <zwu>
Component: ipsec-toolsAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 5.0CC: davem, desktop-bugs, iboverma, jiabwang, llim, lwang, nhorman, tgraf, yshang, yshao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-29 18:31:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 448732    
Attachments:
Description Flags
test for RHEL5.2-20080430
none
ps format result none

Description Zhiyong Wu 2007-11-02 09:12:13 UTC 
Description of problem:

  When having ipsecv6 tests about "SGW Tunnel Mode ESP 3DES-CBC with HMAC-SHA1 

authentication" in the software gateway mode,we found that NUT cannot Set SPD 

entries.

scenarios.

Version-Release number of selected component (if applicable):

  kernel-2.6.18-43.el5

Software Environment:   
  Testee(NUT):   
    RHEL5 
    Kernel:2.6.18-43.el5 
   
  Tester(TN):   
    FreeBSD6.2
    v6eval-3.0.12.tar.gz
   
TAHI package:    
  IPsec_Self_Test_P2_1-1-1.tar.gz

How reproducible:
  every time

Steps to Reproduce:    
  1. Configure TAHI test environment.     
  2. Run the TAHI test suite     
  3. After the test completes, check for the results 
  
Actual results:

   NUT cannot Set SPD entries

Expected results:

   NUT can Set SPD entries

Additional info:
  
   please refer to 

http://focus.brisbane.redhat.com/~zwu/ipsec_sgw/20071022/IPsec_Self_Test_P2_1-1-1_sgw/ipsec.p2/index.html

   (1) 3	6.1.2 Select SPD (ICMP Type), ESP=3DES-CBC HMAC-SHA1
Comment 1 Zhiyong Wu 2007-11-02 09:19:20 UTC 
   Also about it:

   when NUT is set to the host mode,

   pls refer to the url below:

http://focus.brisbane.redhat.com/~zwu/ipsec_endnode/20071028/IPsec_Self_Test_P2_1-1-1_end_node/ipsec.p2/index.html

   (1) 3	5.1.2 Select SPD (ICMP Type), ESP=3DES-CBC HMAC-SHA1
Comment 3 Zhiyong Wu 2008-02-20 09:18:35 UTC 
the test case still FAIL On RHEL5.2

for more details, pls refer to 

http://focus.brisbane.redhat.com/~zwu/RHEL5.2-Server-20080212.0/20080220/IPsec_Self_Test_P2_1-1-2_end_node/ipsec.p2/index.html

(1) 3	5.1.2 Select SPD (ICMP Type), ESP=3DES-CBC HMAC-SHA1
Comment 6 shangyanfeng 2008-05-06 09:37:12 UTC 
Created attachment 304613 [details]
test for RHEL5.2-20080430

this is IPsec test for RHEL5.2-20080430,also fail
Comment 7 Lawrence Lim 2008-05-07 14:47:37 UTC 
Thomas,
Could you confirm whether kernel support this mode?

SGW Tunnel Mode ESP 3DES-CBC with HMAC-SHA1 authentication
Comment 8 Thomas Graf 2008-05-07 15:11:57 UTC 
Yes, the kernel supports both algorithms. As you can see in the test log, the
algorithms have been successfully configured, if they weren't supported this
step would fail.
Comment 9 Thomas Graf 2008-05-07 15:20:25 UTC 
To me this looks like something is broken in the test scripts. Out of the
logs:

Remote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t 
[...]
eval $main::rOpt_upperspec='icmp6'
[...]
Connected
upperspec must be one of any|tcp|udp
ipsecSetSPD.rmt [parameters]
parameters:
src=source address
[...]
Comment 10 shangyanfeng 2008-05-08 04:51:56 UTC 
Created attachment 304831 [details]
ps format result

test for RHEL5.2-20080430

this is IPsec test for RHEL5.2-20080430,also fail

kernel 2.6.18-92.el5 ipsec-tools-0.6.5-9.el5

convert the result from html format to ps
Comment 12 Thomas Graf 2008-06-13 21:21:36 UTC 
According to the logs, this looks like a problem with ipsec-tools, the test
cannot be configured correctly. The algorithm itself is supported by the kernel.
Comment 13 Tomas Mraz 2008-06-13 21:47:49 UTC 
What is the command on the tested computer that fails?
Comment 14 Red Hat Bugzilla 2008-07-08 01:24:11 UTC 
Adding yshao to the cc list as the manager of the disabled user zwu who reported this bug
Comment 15 Tomas Mraz 2008-07-29 18:31:19 UTC 
Without the required information it is not possible to fix the problem. Also
from the attached logs it seems clear that the command which is failing is part
of the testsuite and not the setkey command which is contained in the
ipsec-tools package.

Closing as NOTABUG for now, please reopen if you can provide logs where the
setkey command fails.
Comment 16 Tomas Mraz 2008-10-29 07:34:42 UTC 
*** Bug 468353 has been marked as a duplicate of this bug. ***