Bug 447419

Summary: openswan ships with OE enabled by accident
Product: [Fedora] Fedora Reporter: Paul Wouters <pwouters>
Component: openswanAssignee: Steve Conklin <fedora>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9CC: gresko
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-23 16:02:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Wouters 2008-05-19 20:59:31 UTC 
Description of problem:
openswan 2.6.09-2.fc9 ships with Opportunistic Encryption (OE) enabled while
using the netkey(xfrm) stack. This is causing connection failures

Version-Release number of selected component (if applicable):
2.6.09-2.fc9


Additional info:

Add oe=off to the section "config setup" in /etc/ipsec.conf
Comment 1 Paul Wouters 2008-05-19 21:00:11 UTC 
note that in openswan-2.4.x the oe= option did not exist, and OE was disabled by
including /etc/ipsec.d/examples/no_oe.conf.
Comment 2 Paul Wouters 2008-05-20 04:12:07 UTC 
note: openswan-2.6.9 has broken IKEv2 code. It is incompatable with other IKEv2
daemons and with openswan-2.6.12+. Please use 2.6.13 (or 2.6.14 when available)

patch4 also breaks dynamic clents using left=%defaultroute. please remove that
broken patch.
Comment 3 Paul Wouters 2008-10-09 21:01:11 UTC 
- I see that oe=off is still not enabled in the ipsec.conf :(

- There is no virtual_private= defined, so it won't work as client behind NAT

- Many fixes between 2.6.14 - 2.6.18, should really update the entire package. See CHANGES

- openswan-2.6-intwarning.patch breaks certain setups and should really NOT be applied to the package anymore.

- why not Buildrequires: xmlto so we can build up to date man pages from xml?
  openswan-2.6-noxmlto.patch should go away IMHO
Comment 4 Paul Wouters 2008-10-09 21:33:25 UTC 
I just checked openswan-2.6.18-1.fc10

- openswan-2.6.16-initscript-correction.patch will cause breaking with NFS mounts via IPsec. (obviously /usr is a problem, but others don't have to be)

- oe=off should still be added

- virtual_private= with RFC1918 space should still be added (see man ipsec.conf)

- openswan-2.6-intwarning.patch is still an urgent problem
Comment 5 Paul Wouters 2008-10-09 21:39:15 UTC 
- Why compile with USE_LWRES=false ? It would be better to BuildRequire: bind-devel. We haven't been testing with USE_LWRES=false for about a year now, as it is the obsolete resolving method (we need lwres for non-blocking dns helper threads and for DNSSEC)
Comment 6 Paul Wouters 2008-10-09 22:18:07 UTC 
- License: GPLv2+

That's wrong. The license is v2, not v2+
It is also partially BSD license for some crypto code.
Comment 7 Paul Wouters 2008-10-09 22:21:26 UTC 
- rm -rf programs/readwriteconf

why is that done? readwriteconf is only used when running 'make check' ?
Comment 8 Paul Wouters 2009-01-23 16:02:58 UTC 
original bug is closed, the rest is just chatter that does not really matter anymore.