Bug 468354
| Summary: | [TAHI] IPSec Test, Discard Traffic, ESP=3DES-CBC HMAC-SHA1 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | wang jiabo <jiabwang> |
| Component: | kernel | Assignee: | Red Hat Kernel Manager <kernel-mgr> |
| Status: | CLOSED NOTABUG | QA Contact: | Martin Jenner <mjenner> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.3 | CC: | llim |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-11-05 07:47:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Doesn't it mean that linux kernel doesn't support that in the SPD? If yes, please reassign to kernel. If not, please give detailed instructions on how to reproduce. That's a good point. Reassigning to kernel. we test cases using TAHI program between 2 hosts(please see the following info.), one is NUT(RHEL5.3) ,another is TN(FreeBSD7.0). the case use transport mode in IPsec. expected results should discard echo reply Start Capturing Packets (Link0) Target: Set SAD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 16:26:26 vRemote(ipsecSetSAD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSAD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c'' command /bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E 3des-cbc "ipv6readylogo3d escbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c 3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp mode=transport spi=4096(0x00001000) reqid=0(0x00000000) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 696e3031 A: hmac-sha1 69707636 72656164 796c6f67 73686131 696e3031 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:24:06 2008 current: Oct 29 00:24:06 2008 diff: 0(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3485 refcnt=0 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E 3des-cbc "ipv6readylogo3d escbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c 3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp mode=transport spi=4096(0x00001000) reqid=0(0x00000000) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 696e3031 A: hmac-sha1 69707636 72656164 796c6f67 73686131 696e3031 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:24:06 2008 current: Oct 29 00:24:06 2008 diff: 0(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3485 refcnt=0 [root@ipv6test2 ~]'' echo $? 0 [root@ipv6terCommand: exit status: 0 ~ [EOT] Target: Set SPD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=any direction=in protocol=esp-auth mode=transport policy=ipsec 16:26:31 vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=any direction=in protocol=esp-auth mode=transport policy=ipsec '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001:0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setkey -c'' command /bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ff e:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001: 0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setke y -c 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=72 seq=1 pid=3496 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3496 refcnt=2 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001:0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ff e:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001: 0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setke y -c 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=72 seq=1 pid=3496 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3496 refcnt=2 [root@ipv6test2 ~]'' echo $? 0 [roorCommand: exit status: 0 ~ [EOT] Target: Set SAD entries: src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" spi=0x2000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcout1 eauth=hmac-sha1 eauthkey=ipv6readylogsha1out1 16:26:37 vRemote(ipsecSetSAD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSAD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" spi=0x2000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcout1 eauth=hmac-sha1 eauthkey=ipv6readylogsha1out1 '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c'' command /bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ff ff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E 3des-cbc "ipv6readylogo3d escbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:1::1 esp mode=transport spi=8192(0x00002000) reqid=0(0x00000000) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 6f757431 A: hmac-sha1 69707636 72656164 796c6f67 73686131 6f757431 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:24:17 2008 current: Oct 29 00:24:17 2008 diff: 0(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=3502 refcnt=0 3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp mode=transport spi=4096(0x00001000) reqid=0(0x00000000) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 696e3031 A: hmac-sha1 69707636 72656164 796c6f67 73686131 696e3031 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:24:06 2008 current: Oct 29 00:24:17 2008 diff: 11(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3502 refcnt=0 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ff ff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E 3des-cbc "ipv6readylogo3d escbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:1::1 esp mode=transport spi=8192(0x00002000) reqid=0(0x00000000) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 6f757431 A: hmac-sha1 69707636 72656164 796c6f67 73686131 6f757431 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:24:17 2008 current: Oct 29 00:24:17 2008 diff: 0(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=3502 refcnt=0 3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp mode=transport spi=4096(0x00001000) reqid=0(0x00000000) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 696e3031 A: hmac-sha1 69707636 72656164 796c6f67 73686131 696e3031 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:24:06 2008 current: Oct 29 00:24:17 2008 diff: 11(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3502 refcnt=0 [root@ipv6test2 ~]'' echo $? 0 [roorCommand: exit status: 0 ~ [EOT] Target: Set SPD entries: src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" upperspec=any direction=out protocol=esp-auth mode=transport policy=ipsec 16:26:42 vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" upperspec=any direction=out protocol=esp-auth mode=transport policy=ipsec '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setkey -c'' command /bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501 :ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21 d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setk ey -c 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=72 seq=2 pid=3512 refcnt=1 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any out prio def ipsec esp/transport//require created: Oct 29 00:24:22 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=89 seq=1 pid=3512 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3512 refcnt=1 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501 :ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21 d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setk ey -c 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=72 seq=2 pid=3512 refcnt=1 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any out prio def ipsec esp/transport//require created: Oct 29 00:24:22 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=89 seq=1 pid=3512 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3512 refcnt=1 [root@ipv6test2 ~]'' echo $? 0 [roorCommand: exit status: 0 ~ [EOT] Target: Enable and start IPsec function 16:26:47 vRemote(ipsecEnable.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecEnable.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 '' *** Target testing phase *** 16:26:48 Clear Captured Packets (Link0) 16:26:48 vSend(Link0,echo_request_from_host1_esp) Send Echo Request with ESP from HOST-1(TN) 16:26:48 vRecv(Link0,echo_reply_to_host1_esp ns_to_router_linkaddr_w_linkaddr rs_from_nut rs_from_nut_wsll ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router rs_from_nut_wunspec) timeout:3 cntLimit:0 seektime:0 Receive Echo Reply with ESP from End-Node(NUT) to Host-1(TN) 16:26:48 vRecv(Link0,ns_to_router_linkaddr_w_linkaddr ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router) timeout:3 cntLimit:0 seektime:0 vRecv() return status=1 16:26:51 vRecv(Link0,ns_to_router_linkaddr_w_linkaddr ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router) timeout:3 cntLimit:0 seektime:0 vRecv() return status=1 TN received echo reply from NUT to HOST1. Judgement #1: OK Set Discard policy to NUT Target: Set SPD entries: src=any dst=any upperspec=any direction=in protocol=esp-auth mode=transport policy=discard 16:26:54 vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src=any dst=any upperspec=any direction=in protocol=esp-auth mode=transport policy=discard '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdadd any any any -P in discard; spddump;' | setkey -c'' command /bin/echo 'spdadd any any any -P in discard; spddump;' | set key -c line 0: syntax error at [any] 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=72 seq=2 pid=3518 refcnt=2 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any out prio def ipsec esp/transport//require created: Oct 29 00:24:22 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=89 seq=1 pid=3518 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3518 refcnt=1 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'spdadd any any any -P in discard; spddump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'spdadd any any any -P in discard; spddump;' | set key -c line 0: syntax error at [any] 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=72 seq=2 pid=3518 refcnt=2 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any out prio def ipsec esp/transport//require created: Oct 29 00:24:22 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=89 seq=1 pid=3518 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3518 refcnt=1 [root@ipv6test2 ~]'' echo $? 0 [roorCommand: exit status: 0 ~ [EOT] Target: Set SPD entries: src=any dst=any upperspec=any direction=out protocol=esp-auth mode=transport policy=discard 16:26:59 vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src=any dst=any upperspec=any direction=out protocol=esp-auth mode=transport policy=discard '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdadd any any any -P out discard; spddump;' | setkey -c'' command /bin/echo 'spdadd any any any -P out discard; spddump;' | se tkey -c line 0: syntax error at [any] 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=72 seq=2 pid=3524 refcnt=2 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any out prio def ipsec esp/transport//require created: Oct 29 00:24:22 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=89 seq=1 pid=3524 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3524 refcnt=1 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'spdadd any any any -P out discard; spddump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'spdadd any any any -P out discard; spddump;' | se tkey -c line 0: syntax error at [any] 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any in prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=72 seq=2 pid=3524 refcnt=2 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any out prio def ipsec esp/transport//require created: Oct 29 00:24:22 2008 lastused: Oct 29 00:24:27 2008 lifetime: 0(s) validtime: 0(s) spid=89 seq=1 pid=3524 refcnt=2 3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any fwd prio def ipsec esp/transport//require created: Oct 29 00:24:11 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=82 seq=0 pid=3524 refcnt=1 [root@ipv6test2 ~]'' echo $? 0 [roorCommand: exit status: 0 ~ [EOT] Target: Enable and start IPsec function 16:27:05 vRemote(ipsecEnable.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecEnable.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 '' 16:27:05 Clear Captured Packets (Link0) 16:27:05 vSend(Link0,echo_request_from_host2_net1_to_host0_net0) Send Echo Request from Host2(TN) to End-Node(NUT) 16:27:05 vRecv(Link0,echo_reply_from_host0_net0_to_host2_net1 echo_reply_to_host2_esp ns_to_router_linkaddr_w_linkaddr rs_from_nut rs_from_nut_wsll ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router rs_from_nut_wunspec) timeout:3 cntLimit:0 seektime:0 Receive Echo Reply from End-Node(NUT) to Host2(TN) 16:27:05 vRecv(Link0,ns_to_router_linkaddr_w_linkaddr ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router) timeout:3 cntLimit:0 seektime:0 vRecv() return status=1 16:27:08 vRecv(Link0,ns_to_router_linkaddr_w_linkaddr ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router) timeout:3 cntLimit:0 seektime:0 vRecv() return status=1 TN received echo reply from End-Node(NUT) to HOST-1(TN). NG 16:27:11 End thanks you help. I have found where problem is for the bug. the issue is from my test suite of TAHI. I have fixed the test suite of TAHI. I am very sorry to disturb you. Thanks |
Description of problem: all implementations must support DISCARDing of Fragments using the normal SPD packet classification mechanisms in RFC 4301 section 7.4. but our IPsec-tools did not support the mechanisms Version-Release number of selected component (if applicable): ipsec-tools-0.6.5-13.el5 How reproducible: everytime Steps to Reproduce: 1. 2. 3. Actual results: cannot DISCARD frangments Expected results: must support DiSCARDing Additional info: tcpdump info: 17:08:27.337127 IP6 3ffe:501:ffff:1::1 > 3ffe:501:ffff:0:20a:ebff:fe85:9e56: ESP(spi=0x00001000,seq=0x1), length 52 17:08:27.337262 IP6 3ffe:501:ffff:0:20a:ebff:fe85:9e56 > 3ffe:501:ffff:1::1: ESP(spi=0x00002000,seq=0x1), length 52 17:08:44.631694 IP6 3ffe:501:ffff:1::2 > 3ffe:501:ffff:0:20a:ebff:fe85:9e56: ICMP6, echo request, seq 0, length 22 17:08:44.631766 IP6 3ffe:501:ffff:0:20a:ebff:fe85:9e56 > 3ffe:501:ffff:1::2: ICMP6, echo reply, seq 0, length 22 17:08:49.631863 IP6 fe80::20a:ebff:fe85:9e56 > fe80::200:ff:fe00:f: ICMP6, neighbor solicitation, who has fe80::200:ff:fe00:f, length 32 17:08:49.654527 IP6 fe80::200:ff:fe00:f > fe80::20a:ebff:fe85:9e56: ICMP6, neighbor advertisement, tgt is fe80::200:ff:fe00:f, length 32