Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 652733

Summary: 2 tunnels (IPv4 and IPv6) do not work together using certs/keys
Product: Red Hat Enterprise Linux 5 Reporter: deepak.dg.gupta
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.5CC: amarecek, cww, ebenes, mbelangia, rprice, sgrubb, vincew
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openswan-2.6.21-10.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 05:58:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 680044    
Attachments:
Description Flags
/var/log/secure log none

Description deepak.dg.gupta 2010-11-12 16:36:41 UTC 
Description of problem:

Only one tunnel gets establised, even though both are configured to say auto=start.  And, running ipsec auto --up "second_tunnel_id" causes the first 
tunnel to go down and the second tunnel gets established.  Problem, is we need
both tunnels established and working at the same time. 

The same 2 tunnels work simultaneously when using PSK.  Note that both 
tunnels are using the same host certs/keys, in other words each end 
has a single host cert/key along with the cacert imported into the nss 
db.

Version-Release number of selected component (if applicable):

openswan 2.6.21
2.6.18-194.11.3.el5 #1 SMP Mon Aug 23 15:51:38 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:

Easily reproducible, every time.

Steps to Reproduce:

Configuration Host A:

cb4-0-0-0:/etc-# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0  # conforms to second version of ipsec.conf specification

# basic configuration
config setup
   # Debug-logging controls:  "none" for (almost) none, "all" for lots.
   # klipsdebug=none
   # plutodebug="control parsing"
   # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
   protostack=netkey
   nat_traversal=yes
   #virtual_private=
   #oe=off
   # Enable this if you see "failed to find any available worker"
   #nhelpers=0
   plutodebug=all

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/ipsec-default.conf
include /etc/ipsec.d/ipsec-ag-v6.conf
include /etc/ipsec.d/ipsec-ag-172.12.128.105.conf





cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.105.conf
# /etc/ipsec-ag01.conf - IPsec conn file for AG01
#

conn ag-172.12.128.105

        ### left host (public-network address)
        left=172.12.128.104
   leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC"

        ### right host
        right=172.12.128.105
   rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG"
        #rightnexthop=10.254.1.1
   rightcert=ag


cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.105.secrets
172.12.128.104 172.12.128.105 : RSA ag ""

cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-v6.conf
# /etc/ipsec-ag01.conf - IPsec conn file for AG01
#

conn ag-v6

        ### left host (public-network address)
        left=2001:db7::7
   leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC"

        ### right host
        right=2001:db7::5
   rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG"
        #rightnexthop=10.254.1.1
   rightcert=ag

cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-v6.secrets
2001:db7::7 2001:db7::5 : RSA ag ""




cb4-0-0-0:/etc/ipsec.d-# cat *default*
#
# Template file for default connection for Emergency Alert Gateways
#


conn %default
        type=tunnel

        ### left host (public-network address)
   leftrsasigkey=%cert
   leftsendcert=always

        ### right host (public-network address)
   rightrsasigkey=%cert
   rightsendcert=always

   ### algs
   keyexchange=ike
   auth=esp
   authby=rsasig
        ike=aes128-sha1-modp2048
        esp=aes128-sha2_256
        pfs=yes

   ### automatic rekeying params
        ikelifetime=1440m
        keylife=480m
        rekeymargin=20m
        rekey=yes
        keyingtries=%forever
   #dpddelay=500000
   #dpdtimeout=600000
        auto=start




cb4-0-0-0:/etc/ipsec.d-# cat nss.certs
@172.12.128.105: RSA "ag" ""
@2001:db7::5: RSA "ag" ""


cb4-0-0-0:/etc/ipsec.d-# ifconfig bond1
bond1     Link encap:Ethernet  HWaddr 00:26:55:DD:17:39
          inet6 addr: 2001:db7::5/64 Scope:Global
          inet6 addr: fe80::226:55ff:fedd:1739/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:222817 errors:0 dropped:0 overruns:0 frame:0
          TX packets:187365 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37170781 (35.4 MiB)  TX bytes:24658476 (23.5 MiB)

cb4-0-0-0:/etc/ipsec.d-# ifconfig bond1:alrt
bond1:alrt Link encap:Ethernet  HWaddr 00:26:55:DD:17:39
          inet addr:172.12.128.105  Bcast:172.12.128.111  Mask:255.255.255.240
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1






CONFIGURATION ON HOST B:


cb3-0-0-0:/etc-# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        #virtual_private=
        #oe=off
        # Enable this if you see "failed to find any available worker"
        #nhelpers=0
        plutodebug=all

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/ipsec-default.conf
include /etc/ipsec.d/ipsec-ag-2001:db7::7.conf
include /etc/ipsec.d/ipsec-ag-172.12.128.104.conf






cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.104.conf
#
# IPsec configuration file for Emergency Alert Gateways connection
#

conn ag-172.12.128.104

        ### left host (public-network address)
        left=172.12.128.104
        leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC"
        #leftnexthop=172.12.128.109
        leftcert=bmc

        ### right host (public-network address)
        right=172.12.128.105
        rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG"
cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.104.secrets
172.12.128.104 172.12.128.105 : RSA bmc ""

cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-2001:db7::7.conf
#
# IPsec configuration file for Emergency Alert Gateways connection
#

conn ag-2001:db7::7

        ### left host (public-network address)
        left=2001:db7::7
        leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC"
        #leftnexthop=172.12.128.109
        leftcert=bmc

        ### right host (public-network address)
        right=2001:db7::5
        rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG"

cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-2001:db7::7.secrets
2001:db7::7 2001:db7::5 : RSA bmc ""




cb3-0-0-0:/etc/ipsec.d-# cat *default*
#
# Template file for default connection for Emergency Alert Gateways
#


conn %default
        type=tunnel

        ### left host (public-network address)
        leftrsasigkey=%cert
        leftsendcert=always

        ### right host (public-network address)
        rightrsasigkey=%cert
        rightsendcert=always

        ### algs
        keyexchange=ike
        auth=esp
        authby=rsasig
        ike=aes128-sha1-modp2048
        esp=aes128-sha2_256
        pfs=yes

        ### automatic rekeying params
        ikelifetime=1440m
        keylife=480m
        rekeymargin=20m
        rekey=yes
        keyingtries=%forever
        #dpddelay=500000
        #dpdtimeout=600000
        auto=start






  
Actual results:

Contents of /var/log/secure from Host B attached.





Expected results:


Additional info:
Comment 1 deepak.dg.gupta 2010-12-01 18:26:49 UTC 
Created attachment 464074 [details]
/var/log/secure log
Comment 2 deepak.dg.gupta 2011-01-07 15:33:02 UTC 
I have been able to reproduce this exact issue with just IPv4 tunnels.  The only difference being that one end is running openswan 2.6.21 and using nss cert management and the other end is running openswan 2.6.14 and is running the old style cert management.  

However the issue is exactly the same, in which only one tunnel can be added and up'd.  If you define 2 tunnels in the configuration files, then ipsec auto shows 2 tunnels added but only one is show as such:


 000 "ag-10.155.199.101": 10.155.155.78<10.155.155.78>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC,+S=C]---10.155.155.5...10.155.199.101<10.155.199.101>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG,+S=C]; unrouted; eroute owner: #0
000 "ag-10.155.199.101":     myip=unset; hisip=unset; mycert=bmc;
000 "ag-10.155.199.101":   CAs: 'C=US, ST=OH, O=ALU, OU=MSG, CN=CA, E=CA'...'%any'
000 "ag-10.155.199.101":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0
000 "ag-10.155.199.101":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 32,32; interface: bond1:alrt;
000 "ag-10.155.199.101":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ag-10.155.199.101":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP2048(14); flags=-strict
000 "ag-10.155.199.101":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-14,
000 "ag-10.155.199.101":   ESP algorithms wanted: AES(12)_128-SHA2_256(5); flags=-strict
000 "ag-10.155.199.101":   ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256
000 "ag-10.155.199.102": 10.155.155.78<10.155.155.78>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC,+S=C]---10.155.155.5...10.155.199.102<10.155.199.102>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG,+S=C]; erouted; eroute owner: #8
000 "ag-10.155.199.102":     myip=unset; hisip=unset; mycert=bmc;
000 "ag-10.155.199.102":   CAs: 'C=US, ST=OH, O=ALU, OU=MSG, CN=CA, E=CA'...'%any'
000 "ag-10.155.199.102":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0
000 "ag-10.155.199.102":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 32,32; interface: bond1:alrt;
000 "ag-10.155.199.102":   newest ISAKMP SA: #7; newest IPsec SA: #8;
000 "ag-10.155.199.102":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP2048(14); flags=-strict
000 "ag-10.155.199.102":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-14,
000 "ag-10.155.199.102":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "ag-10.155.199.102":   ESP algorithms wanted: AES(12)_128-SHA2_256(5); flags=-strict
000 "ag-10.155.199.102":   ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256
000 "ag-10.155.199.102":   ESP algorithm newest: AES_128-HMAC_SHA2_256; pfsgroup=<Phase1>
000
000 #8: "ag-10.155.199.102":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27719s; newest IPSEC; eroute owner; isakmp#7; idle; import:admin initiate
000 #8: "ag-10.155.199.102" esp.b14902a1.199.102 esp.a3a67820.155.78 tun.0.199.102 tun.0.155.78 ref=0 refhim=4294901761
000 #7: "ag-10.155.199.102":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85328s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
Comment 12 Avesh Agarwal 2011-02-02 23:23:33 UTC 
They need to use the following git commit.

http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.git/.git;a=commit;h=faf0b309e2b3b8a937a7a9f4485dc828c374ccac

If you want I can create a patch too for this, so that you can test. This fix first appeared in 2.6.23, but they are are using 2.6.21. 

This should solve the issue of  "differs from size specified in ISAKMP HDR". Let me know if it helps.
Comment 14 Vince Worthington 2011-02-03 23:29:27 UTC 
I've put a set of scratch-build packages together with this patch.  The build is tagged/branched (private-sf387574-branch) in case we need it again later.  These are built against 5.6-Z-test.

I've not tested them myself yet but if anybody else is interested in testing, here's the links:  (i386 and x86_64 flavors)

https://brewweb.devel.redhat.com/taskinfo?taskID=3087271

The patch deals with making sure the buffer is initialized (zeroed) before using it and should address the unexpected header size warnings spewing in the logs.  Thanks for finding and pointing out the upstream patch Avesh.

I'm curious whether it might help with the delay in bringing the tunnels up as well.

--vince
Comment 28 David Mair 2011-10-22 18:39:32 UTC 
*** Bug 659835 has been marked as a duplicate of this bug. ***
Comment 31 errata-xmlrpc 2012-02-21 05:58:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0211.html