Bug 468951

Summary: [TAHI]Encryption Algorithm (CAMELLIA-CBC(128-bit)) test on host transport mode
Product: Red Hat Enterprise Linux 5 Reporter: wang jiabo <jiabwang>
Component: kernelAssignee: wang jiabo <jiabwang>
Status: CLOSED WONTFIX QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: iboverma, jiabwang, lwang, tmraz, tools-bugs
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-03 12:49:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wang jiabo 2008-10-29 03:26:30 UTC 
Description of problem:
when Encryption Algorithm use CAMELLIA-CBC(128-bit)(RFC 4312) and Authentication Algorithm use HMAC-SHA1,test failure on host transport mode,(please see the Additional Info section for detail log).
we use the test case between 2 hosts, one is NUT(RHEL5.3), another is TN(Freebsd7.0)

Version-Release number of selected component (if applicable):
ipsec-tools-0.6.5.13.el5


How reproducible:
everytime

Steps to Reproduce:
1.
2.
3.
  
Actual results:
TN received no echo reply from End-Node(NUT) to HOST-1(TN).

tcpdump info:
reading from file 20.html.Link0.dump, link-type EN10MB (Ethernet)
16:32:19.527930 IP6 3ffe:501:ffff:1::1 > 3ffe:501:ffff:0:21d:fff:fe0f:be4e: ESP(spi=0x00001000,seq=0x1), length 68


Expected results:
TN received echo reply from End-Node(NUT) to HOST-1(TN).

Additional info:

test log info:


16:31:56	Start

	*** Target initialization phase ***
Target: Clear all SAD and SPD entries
16:31:56 	vRemote(ipsecClearAll.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecClearAll.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 ''

Connected
prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) ''
rLogin: Wait for login prompt (0.2 sec)...
rLogin: Never got prompt; try again
rLogin: Wait for login prompt (50 sec)...

[root@ipv6test2 ~]# rLogin: Got command prompt
rLogin: Got command prompt
_rCommand: Try to get command prompt (0.2 sec.)
_rCommand: (\$|#) 
_rCommand: command prompt...
_rCommand: Try to get command prompt (30 sec.)
_rCommand: (\$|#) 

[root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdflush; flush;' | setkey -c'' command
/bin/echo 'spdflush; flush;' | setkey -c
rCommand: Try to get command prompt (0.2 sec)
[root@ipv6test2 ~]# rCommand: CmdOutput=``
[root@ipv6test2 ~]''
echo $?
0
[roorCommand: exit status: 0
~
[EOT]

16:31:57	Start Capturing Packets (Link0)

	Target: Set SAD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=camellia-cbc ealgokey=ipvcamelliacin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01
16:31:57 	vRemote(ipsecSetSAD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSAD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=camellia-cbc ealgokey=ipvcamelliacin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 ''

Connected
prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) ''
rLogin: Wait for login prompt (0.2 sec)...
rLogin: Never got prompt; try again
rLogin: Wait for login prompt (50 sec)...

[root@ipv6test2 ~]# rLogin: Got command prompt
rLogin: Got command prompt
_rCommand: Try to get command prompt (0.2 sec.)
_rCommand: (\$|#) 
_rCommand: command prompt...
_rCommand: Try to get command prompt (30 sec.)
_rCommand: (\$|#) 

[root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E camellia-cbc "ipvcamelliacin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c'' command
/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E camellia-cbc "ipvcamellia cin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c
line 0: syntax error at [camellia-cbc]
No SAD entries.
[root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E camellia-cbc "ipvcamelliacin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c
rCommand: Try to get command prompt (0.2 sec)
rCommand: CmdOutput=``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -E camellia-cbc "ipvcamellia cin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c
line 0: syntax error at [camellia-cbc]
No SAD entries.
[root@ipv6test2 ~]''
echo $?
0
[roorCommand: exit status: 0
~
[EOT]


	Target: Set SPD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=any direction=in protocol=esp-auth mode=transport
16:32:02 	vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=any direction=in protocol=esp-auth mode=transport ''

Connected
prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) ''
rLogin: Wait for login prompt (0.2 sec)...
rLogin: Never got prompt; try again
rLogin: Wait for login prompt (50 sec)...

[root@ipv6test2 ~]# rLogin: Got command prompt
rLogin: Got command prompt
_rCommand: Try to get command prompt (0.2 sec.)
_rCommand: (\$|#) 
_rCommand: command prompt...
_rCommand: Try to get command prompt (30 sec.)
_rCommand: (\$|#) 

[root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001:0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setkey -c'' command
/bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ff e:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001: 0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setke y -c
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	in prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=312 seq=1 pid=3959
	refcnt=2
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	fwd prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=322 seq=0 pid=3959
	refcnt=2
[root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001:0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setkey -c
rCommand: Try to get command prompt (0.2 sec)
rCommand: CmdOutput=``/bin/echo 'spdadd 3ffe:501:ffff:0001:0000:0000:0000:0001 3ff e:501:ffff:0:21d:fff:fe0f:be4e any -P in ipsec esp/transport/3ffe:501:ffff:0001: 0000:0000:0000:0001-3ffe:501:ffff:0:21d:fff:fe0f:be4e/require; spddump;' | setke y -c
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	in prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=312 seq=1 pid=3959
	refcnt=2
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	fwd prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=322 seq=0 pid=3959
	refcnt=2
[root@ipv6test2 ~]''
echo $?
0
[roorCommand: exit status: 0
~
[EOT]


	Target: Set SAD entries: src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" spi=0x2000 mode=transport protocol=esp ealgo=camellia-cbc ealgokey=ipvcamelliacout1 eauth=hmac-sha1 eauthkey=ipv6readylogsha1out1
16:32:07 	vRemote(ipsecSetSAD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSAD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" spi=0x2000 mode=transport protocol=esp ealgo=camellia-cbc ealgokey=ipvcamelliacout1 eauth=hmac-sha1 eauthkey=ipv6readylogsha1out1 ''

Connected
prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) ''
rLogin: Wait for login prompt (0.2 sec)...
rLogin: Never got prompt; try again
rLogin: Wait for login prompt (50 sec)...

[root@ipv6test2 ~]# rLogin: Got command prompt
rLogin: Got command prompt
_rCommand: Try to get command prompt (0.2 sec.)
_rCommand: (\$|#) 
_rCommand: command prompt...
_rCommand: Try to get command prompt (30 sec.)
_rCommand: (\$|#) 

[root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E camellia-cbc "ipvcamelliacout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c'' command
/bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ff ff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E camellia-cbc "ipvcamellia cout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c
line 0: syntax error at [camellia-cbc]
No SAD entries.
[root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E camellia-cbc "ipvcamelliacout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c
rCommand: Try to get command prompt (0.2 sec)
rCommand: CmdOutput=``/bin/echo 'add 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ff ff:0001:0000:0000:0000:0001 esp 0x2000 -m transport -E camellia-cbc "ipvcamellia cout1" -A hmac-sha1 "ipv6readylogsha1out1"; dump;' | setkey -c
line 0: syntax error at [camellia-cbc]
No SAD entries.
[root@ipv6test2 ~]''
echo $?
0
[roorCommand: exit status: 0
~
[EOT]


	Target: Set SPD entries: src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" upperspec=any direction=out protocol=esp-auth mode=transport
16:32:13 	vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0:21d:fff:fe0f:be4e" dst="3ffe:501:ffff:0001:0000:0000:0000:0001" upperspec=any direction=out protocol=esp-auth mode=transport ''

Connected
prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) ''
rLogin: Wait for login prompt (0.2 sec)...
rLogin: Never got prompt; try again
rLogin: Wait for login prompt (50 sec)...

[root@ipv6test2 ~]# rLogin: Got command prompt
rLogin: Got command prompt
_rCommand: Try to get command prompt (0.2 sec.)
_rCommand: (\$|#) 
_rCommand: command prompt...
_rCommand: Try to get command prompt (30 sec.)
_rCommand: (\$|#) 

[root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setkey -c'' command
/bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501 :ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21 d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setk ey -c
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	in prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=312 seq=2 pid=3971
	refcnt=1
3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any
	out prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:53 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=329 seq=1 pid=3971
	refcnt=2
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	fwd prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=322 seq=0 pid=3971
	refcnt=1
[root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501:ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setkey -c
rCommand: Try to get command prompt (0.2 sec)
rCommand: CmdOutput=``/bin/echo 'spdadd 3ffe:501:ffff:0:21d:fff:fe0f:be4e 3ffe:501 :ffff:0001:0000:0000:0000:0001 any -P out ipsec esp/transport/3ffe:501:ffff:0:21 d:fff:fe0f:be4e-3ffe:501:ffff:0001:0000:0000:0000:0001/require; spddump;' | setk ey -c
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	in prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=312 seq=2 pid=3971
	refcnt=1
3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] 3ffe:501:ffff:1::1[any] any
	out prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:53 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=329 seq=1 pid=3971
	refcnt=2
3ffe:501:ffff:1::1[any] 3ffe:501:ffff:0:21d:fff:fe0f:be4e[any] any
	fwd prio def ipsec
	esp/transport//require
	created: Oct 29 00:29:42 2008  lastused:                     
	lifetime: 0(s) validtime: 0(s)
	spid=322 seq=0 pid=3971
	refcnt=1
[root@ipv6test2 ~]''
echo $?
0
[roorCommand: exit status: 0
~
[EOT]


	Target: Enable and start IPsec function
16:32:19 	vRemote(ipsecEnable.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecEnable.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 ''


	*** Target testing phase ***
16:32:19	Clear Captured Packets (Link0)
16:32:19	vSend(Link0,echo_request_from_host1_esp)
Send Echo Request with ESP from HOST-1(TN)
16:32:19 	vRecv(Link0,echo_reply_to_host1_esp ns_to_router_linkaddr_w_linkaddr rs_from_nut rs_from_nut_wsll ns_to_router_wo_sllopt ns_to_router_linkaddr ns_to_router rs_from_nut_wunspec) timeout:3 cntLimit:0 seektime:0
vRecv() return status=1

	TN received no echo reply from End-Node(NUT) to HOST-1(TN).
NG
16:32:22	End
Comment 1 Tomas Mraz 2008-10-29 07:32:24 UTC 
camellia is not supported by the RHEL-5 kernel.
Comment 2 Lawrence Lim 2008-11-05 06:58:12 UTC 
If this is not going to be in RHEL5, could we propose to RHEL6?
Comment 3 Tomas Mraz 2008-11-05 08:17:55 UTC 
This will be in RHEL-6. It is already supported by current Fedora kernels and ipsec-tools.
Comment 4 Lawrence Lim 2008-11-05 08:24:14 UTC 
OK. So this will be closed as WONTFIX or DEFERRED then. 

llim->jiabwang: we should look at Fedora very soon.
Comment 5 RHEL Program Management 2014-03-07 12:40:32 UTC 
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 6 RHEL Program Management 2014-06-03 12:49:39 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).
Comment 7 Red Hat Bugzilla 2023-09-14 01:13:58 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days