IPsec connections over a loopback interface did not work properly when a specific port was configured. This was because incomplete IPsec policies were being set up, leading to connection failures. This update fixes this issue, and complete policies are now correctly established.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
IPsec connections over a loopback interface did not work properly when a specific port was configured. This was because incomplete IPsec policies were being set up, leading to connection failures. This update fixes this issue, and complete policies are now correctly established.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2011-1761.html
Description of problem: Using full {left,right}protoport options (e.g. tcp/6000) for connection with loopback=yes to force the following IPsec connections: 127.0.0.1 (tcp: any port) <---> 127.0.0.1 (tcp: port 6000) does not work. The reason (probably) is that SPD set by openswan is incomplete: src 127.0.0.1/32 dst 127.0.0.1/32 dport 6000 dir out priority 2080 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 127.0.0.1/32 dst 127.0.0.1/32 sport 6000 dir in priority 2080 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport Herbert Xu pointed out that the above policy is only one half and another one is missing. Version-Release number of selected component (if applicable): openswan-2.6.32-5.el6 How reproducible: Always. Reproducer: # cat /etc/ipsec.conf version 2.0 config setup protostack=netkey nat_traversal=yes plutostderrlog=/var/log/pluto.log conn testA auto=add authby=secret type=transport left=127.0.0.1 right=127.0.0.1 ike=3des-sha1 phase2=esp phase2alg=aes-sha1 loopback=yes leftprotoport=tcp/6000 conn testB auto=add authby=secret type=transport left=127.0.0.1 right=127.0.0.1 ike=3des-sha1 phase2=esp phase2alg=aes-sha1 loopback=yes rightprotoport=tcp/6000 # echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm # echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy # ip xfrm state flush # service ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: ERROR: Module xfrm4_mode_transport is in use ipsec_setup: ERROR: Module esp4 is in use ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.15.el6.i686... ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled # ipsec auto --up testA 104 "testA" #1: STATE_MAIN_I1: initiate 003 "testA" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ] 003 "testA" #1: received Vendor ID payload [Dead Peer Detection] 003 "testA" #1: received Vendor ID payload [RFC 3947] method set to=109 106 "testA" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "testA" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 108 "testA" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "testA" #1: received Vendor ID payload [CAN-IKEv2] 004 "testA" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536} 117 "testA" #3: STATE_QUICK_I1: initiate 004 "testA" #3: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xf22bff4e <0xae762c81 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} # nc -lk 127.0.0.1 6000 > tcp.6000 & # tcpdump -i lo -nn > tcpdump.lo & # nc -w 30 -v 127.0.0.1 6000 nc: connect to 127.0.0.1 port 6000 (tcp) failed: Connection timed out # cat tcp.6000 (empty) # cat tcpdump.lo 02:13:27.613876 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E] 02:13:27.614051 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E] 02:13:27.628276 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E] 02:13:27.628454 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E] 02:13:34.318432 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident 02:13:34.318933 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident 02:13:34.323283 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident 02:13:34.327501 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident 02:13:34.331567 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident[E] 02:13:34.332918 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident[E] 02:13:34.336094 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I oakley-quick[E] 02:13:34.344964 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I oakley-quick[E] 02:13:34.386974 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I oakley-quick[E] 02:13:34.391466 IP 127.0.0.1.42551 > 127.0.0.1.6000: Flags [S], seq 2601463509, win 32792, options [mss 16396,sackOK,TS val 674523256 ecr 0,nop,wscale 6], length 0 02:13:37.390641 IP 127.0.0.1.42551 > 127.0.0.1.6000: Flags [S], seq 2601463509, win 32792, options [mss 16396,sackOK,TS val 674526256 ecr 0,nop,wscale 6], length 0 02:13:43.390628 IP 127.0.0.1.42551 > 127.0.0.1.6000: Flags [S], seq 2601463509, win 32792, options [mss 16396,sackOK,TS val 674532256 ecr 0,nop,wscale 6], length 0 02:13:57.393285 IP 127.0.0.1.42552 > 127.0.0.1.6000: Flags [S], seq 2962292024, win 32792, options [mss 16396,sackOK,TS val 674546258 ecr 0,nop,wscale 6], length 0 02:14:00.392649 IP 127.0.0.1.42552 > 127.0.0.1.6000: Flags [S], seq 2962292024, win 32792, options [mss 16396,sackOK,TS val 674549258 ecr 0,nop,wscale 6], length 0 02:14:06.392649 IP 127.0.0.1.42552 > 127.0.0.1.6000: Flags [S], seq 2962292024, win 32792, options [mss 16396,sackOK,TS val 674555258 ecr 0,nop,wscale 6], length 0 Firewall is disabled.