Bug 734103

Any progress here? Although this bug has a flag 6.3.0? only, it might be important.

This might be a blocker for CCC (added BZ#584498 tracker). Well, there is a workaround working for CCC (mentioned in Additional info section), but it would be great to have it resolved so that we can get rid of the workaround. 

Avesh, it is up to you - if there is an "easy" fix, it makes sense to ask for exception and 6.2.0 inclusion, otherwise not (but we would like to hear why).

This is not a bug neither a work around instead an intendend design. You must specify leftprotoport=tcp (not leftprotoport=tcp/0.) since protocol must be same betwen left and right peer.

Please close this as not a bug.

(In reply to comment #0)

> one tries to configure ipsec with e.g. leftprotoport=udp/11111 and
> rightprotoport=tcp/11111, openswan ought fail to start. But at the same time,

In what situation in this world, one has 2 peers where one is UPD and another is TCP and they are able to communicate.?

So again please close this as not a bug.

Then you should at least correct documentation, because for instance if I would
like to have the following IPsec connections:

a) A <--- tcp/4300 [AH]  ---> B
b) A <--- udp/4300 [ESP] ---> B

And configure them as follows (on A):

conn test-ipv4-1
        auto=route
        authby=secret
 type=transport
        left=10.34.35.194
        right=10.34.35.198
        ike=3des-sha1
        phase2=ah
        phase2alg=sha1
        labeled_ipsec=yes
        policy_label=staff_u:lspp_test_r:lspp_harness_t:s0
        rightprotoport=tcp/4300

conn test-ipv4-2
        auto=route
        authby=secret
        type=transport
        left=10.34.35.194
 right=10.34.35.198
        ike=3des-sha1
        phase2=esp
        phase2alg=3des-sha1
        labeled_ipsec=yes
        policy_label=staff_u:lspp_test_r:lspp_harness_t:s0
        rightprotoport=udp/4300

Then the first one will be overwritten by second:

src 10.34.35.194/32 dst 10.34.35.198/32 dport 4300 
 security context staff_u:lspp_test_r:lspp_harness_t:s0 
 dir out priority 2080 ptype main 
 tmpl src 0.0.0.0 dst 0.0.0.0
  proto esp reqid 0 mode transport

And hence AH on tcp/4300 won't work (!), because SPD does not contain any
protocol information, it will apply for borh TCP and UDP.

If I will add leftprotoport=tcp and leftprotoport=udp to configuration, it will
work finally:

src 10.34.35.194/32 dst 10.34.35.198/32 proto udp dport 4300 
 security context staff_u:lspp_test_r:lspp_harness_t:s0 
 dir out priority 2080 ptype main 
 tmpl src 0.0.0.0 dst 0.0.0.0
  proto esp reqid 0 mode transport
src 10.34.35.194/32 dst 10.34.35.198/32 proto tcp dport 4300 
 security context staff_u:lspp_test_r:lspp_harness_t:s0 
 dir out priority 2080 ptype main 
 tmpl src 0.0.0.0 dst 0.0.0.0
  proto esp reqid 0 mode transport

The point of this bug is that if I do not set leftprotoport together with
rightprotoport, then resulting SPD does not contain protocol. Honestly I do not
care if this is a design decision or not, it is quite confusing. And hence it
should be said man page of ipsec.conf at least. There should be said that "if
you are using rightprotoport, you should use leftprotoport as well, otherwise
protocol will not appear in SPD rule (even though port will [confusion]). 

However, from the QA point of view, the best solution would be if SPD rule
contains procotol even if I am specifying just right/leftprotoport.

(In reply to comment #5)
> Then you should at least correct documentation, 
Which documentation you are talking about? 

> However, from the QA point of view, the best solution would be if SPD rule
> contains procotol even if I am specifying just right/leftprotoport.
Its not about what QA wants, its about how networking works and how Openswan is designed based on that.

(In reply to comment #6)
> (In reply to comment #5)
> > Then you should at least correct documentation, 
> Which documentation you are talking about? 

Man page ipsec.conf(5).

> > However, from the QA point of view, the best solution would be if SPD rule
> > contains procotol even if I am specifying just right/leftprotoport.
> Its not about what QA wants, its about how networking works and how Openswan is
> designed based on that.

Avesh, I agree with your point, I used too offensive words and tone in the previous comment, sorry about that. It is definitely not about what QA wants. Just let me ask you:

If I want to specify protocol and port on the right side via rightprotoport option, should I specify leftprotoport as well? Because now, I should do that, otherwise IPsec does not create correct SPD rules. In other words:

To achieve this:

a) A <--- tcp/4300 [AH]  ---> B
b) A <--- udp/4300 [ESP] ---> B

Is the following configuration correct or not?

# a) A <--- tcp/4300 [AH]  ---> B
conn test1 
        auto=route
        authby=secret
        type=transport
        left=A
        right=B
        ike=3des-sha1
        phase2=ah
        phase2alg=sha1
        rightprotoport=tcp/4300

# b) A <--- udp/4300 [ESP] ---> B
conn test2
        auto=route
        authby=secret
        type=transport
        left=A
        right=B
        ike=3des-sha1
        phase2=esp
        phase2alg=3des-sha1
        rightprotoport=udp/4300

(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Then you should at least correct documentation, 
> > Which documentation you are talking about? 
> 
> Man page ipsec.conf(5).
> 

I looked at ipsec.conf man page but I did not see it saying that you should not specify leftprotoport. Which part specifically you are referring to?

> > > However, from the QA point of view, the best solution would be if SPD rule
> > > contains procotol even if I am specifying just right/leftprotoport.
> > Its not about what QA wants, its about how networking works and how Openswan is
> > designed based on that.
> 
> Avesh, I agree with your point, I used too offensive words and tone in the
> previous comment, sorry about that. It is definitely not about what QA wants.
> Just let me ask you:
> 
> If I want to specify protocol and port on the right side via rightprotoport
> option, should I specify leftprotoport as well? 

You must use leftprotoport, and the reason you have 2 connections and openswan needs to differentiate which connection is for which protocol/port. 

Because now, I should do that,
> otherwise IPsec does not create correct SPD rules. In other words:
> 
> To achieve this:
> 
> a) A <--- tcp/4300 [AH]  ---> B
> b) A <--- udp/4300 [ESP] ---> B
> 
> Is the following configuration correct or not?
> 

As I said above you must specify leftprotoport, otherwise openswan can not distinguish locally which local protoport belongs to which connections.
 
> # a) A <--- tcp/4300 [AH]  ---> B
> conn test1 
>         auto=route
>         authby=secret
>         type=transport
>         left=A
>         right=B
>         ike=3des-sha1
>         phase2=ah
>         phase2alg=sha1
>         rightprotoport=tcp/4300
> 
> # b) A <--- udp/4300 [ESP] ---> B
> conn test2
>         auto=route
>         authby=secret
>         type=transport
>         left=A
>         right=B
>         ike=3des-sha1
>         phase2=esp
>         phase2alg=3des-sha1
>         rightprotoport=udp/4300

(In reply to comment #8)

> > Man page ipsec.conf(5).

> ... Which part specifically you are referring to?

You're right that there is not said that you _should not_ use both {left,right}protoport (if using any). But at the same time, it is not said that _should_ use them together. It was not clear from the context for me and I think it is an important information. 

> > Just let me ask you:
> > 
> > If I want to specify protocol and port on the right side via rightprotoport
> > option, should I specify leftprotoport as well? 
> 
> You must use leftprotoport, and the reason you have 2 connections and openswan
> needs to differentiate which connection is for which protocol/port. 

OK, this is the argument I need to hear, now I agree with you that the issue described in this bugzilla is not a bug and I will close it immediately. 

Anyway, this discussion was helpful for me, thanks for your clarification.