| Summary: | Openswan parametr type=drop doesn't work | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> |
| Component: | openswan | Assignee: | Avesh Agarwal <avagarwa> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | dspurek, ebenes, jrieden, omoris, sgrubb |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-09-29 09:51:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Sorry for mistake, ipsec.conf should be:
conn testA
auto=add
authby=secret
type=drop
left=127.0.0.1
right=127.0.0.1
ike=3des-sha1
loopback=yes
Whatever you are trying to achieve, you have to do following: ipsec auto --route testA And then observe if it does whatever you want to achieve. In addition, why are you testing with openswan-2.6.32-4.el6_1.1 instead of openswan-2.6.32-6.el6? Funcionality is ok with command ipsec auto --route testA with openswan-2.6.32-6.el6.
But I find another problem with combination different types of connections.
ipsec.conf look like this:
conn testA
auto=add
authby=secret
type=transport
left=127.0.0.1
right=127.0.0.1
ike=3des-sha1
phase2=esp
loopback=yes
conn testB
auto=add
authby=secret
type=passthrough
left=127.0.0.1
right=127.0.0.1
ike=3des-sha1
leftprotoport=tcp/10000
loopback=yes
It is important the order of calling ipsec auto --route testA and ipsec auto --route testB commands.
1. If ipsec auto --route testB called first and then ipsec auto --route testA, the behaviour is as I expecting (packets on port 10000 are without ipsec)
2. But if I call ipsec auto --route testA first and then ipsec auto --route testB (stricter rule). All packets are with ipsec (on port 10000 too).
I am not sure that it is a bug or expected behaviour, but records in ip xfrm policy are same in both cases and in manual pages isn't describe that the order of calling ipsec auto --route is important.
Avesh, we have double-checked this and it turns out that all types of connection (ie. option 'type' in conn settings) works fine. But, it appears to an issue with an order in which different types are 'routed'. Please see BZ#742126 [1]. As this bug seems not be valid anymore, I am closing is as NOTABUG. [1] https://bugzilla.redhat.com/show_bug.cgi?id=742126 |
Description of problem: Version-Release number of selected component (if applicable): openswan-2.6.32-4.el6_1.1 How reproducible: always Steps to Reproduce: 1.Setup /etc/ipsec.conf with: conn testA auto=add authby=secret type=reject left=127.0.0.1 right=127.0.0.1 ike=3des-sha1 loopback=yes 2.service ipsec restart 3.ipsec auto --up testA Actual results: Packets aren't dropped and command ipsec auto --up testA has output: 030 "testA": cannot initiate an authby=never connection Expected results: Packets are dropped Additional info: Same behaviour has type=passthrough and type=reject