Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Problem with ikev2 option. If I run a test case with ikev2=yes option required on both sides the funcionality is ok. But if I add another connection to ipsec.conf with required ikev2=insist on both sides, this test case fail (If I run test with ikev2=insist only, the funcionality is ok).
If i first run test case with required ikev2=insist on both sides, it works fine. If I add second connection with ikev2=yes to ipsec.conf and then try the funcionality, test case fail.
Version-Release number of selected component (if applicable):
openswan-2.6.32-6.el6
How reproducible:
always
Steps to Reproduce:
1.To ipsec.conf add (on both sides)
conn ike_yes
left=192.168.122.212
right=192.168.122.179
auto=add
authby=secret
type=transport
ike=aes256-md5
ikev2=yes
phase2=esp
Then run (on both sides):
ip xfrm state flush
ip xfrm policy flush
service ipsec restart && sleep 5
ipsec auto --route ike_yes
On 192.168.122.212 run:
nc 192.168.122.212 -l 6000
On 192.168.122.179 run:
echo 'Hi' | nc -w 10 -v 192.168.122.212 6000
2.Add second connection to ipsec.conf (On both sides):
conn ike_insist
left=192.168.122.212
right=192.168.122.179
auto=add
authby=secret
type=transport
ike=aes256-md5
ikev2=insist
phase2=esp
Then run (on both sides):
ip xfrm state flush
ip xfrm policy flush
service ipsec restart && sleep 5
ipsec auto --route ike_insist
On 192.168.122.212 run:
nc 192.168.122.212 -l 6000
On 192.168.122.179 run:
echo 'Hi' | nc -w 10 -v 192.168.122.212 6000
Actual results:
NC succeed in first test case. In second test case NC fail (NC output is nc: connect to rhel61-clone port 6000 (tcp) timed out: Operation now in progress)
Expected results:
NC should succeed on both test cases.
Additional info:
Comment 1RHEL Program Management
2012-05-03 04:43:14 UTC
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.
Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
I'm not sure if this is a bug.
You are adding two connections for which the policy is basically the same as the wire policies are involved, if I rewrite your test case:
conn test-insist
ikev2=insist
also=base
conn test-yes
ikev2=yes
also=base
conn base
left=192.168.122.212
right=192.168.122.179
auto=add
authby=secret
type=transport
ike=aes256-md5
phase2=esp
Assume the order of loading all connections is semi-random. What should we do?
Ideally, those two connections should never be able to both get loaded. But even if we managed to reject the slowest loading one, it is not guaranteed that the same one would get rejected every time to start libreswan.
Description of problem: Problem with ikev2 option. If I run a test case with ikev2=yes option required on both sides the funcionality is ok. But if I add another connection to ipsec.conf with required ikev2=insist on both sides, this test case fail (If I run test with ikev2=insist only, the funcionality is ok). If i first run test case with required ikev2=insist on both sides, it works fine. If I add second connection with ikev2=yes to ipsec.conf and then try the funcionality, test case fail. Version-Release number of selected component (if applicable): openswan-2.6.32-6.el6 How reproducible: always Steps to Reproduce: 1.To ipsec.conf add (on both sides) conn ike_yes left=192.168.122.212 right=192.168.122.179 auto=add authby=secret type=transport ike=aes256-md5 ikev2=yes phase2=esp Then run (on both sides): ip xfrm state flush ip xfrm policy flush service ipsec restart && sleep 5 ipsec auto --route ike_yes On 192.168.122.212 run: nc 192.168.122.212 -l 6000 On 192.168.122.179 run: echo 'Hi' | nc -w 10 -v 192.168.122.212 6000 2.Add second connection to ipsec.conf (On both sides): conn ike_insist left=192.168.122.212 right=192.168.122.179 auto=add authby=secret type=transport ike=aes256-md5 ikev2=insist phase2=esp Then run (on both sides): ip xfrm state flush ip xfrm policy flush service ipsec restart && sleep 5 ipsec auto --route ike_insist On 192.168.122.212 run: nc 192.168.122.212 -l 6000 On 192.168.122.179 run: echo 'Hi' | nc -w 10 -v 192.168.122.212 6000 Actual results: NC succeed in first test case. In second test case NC fail (NC output is nc: connect to rhel61-clone port 6000 (tcp) timed out: Operation now in progress) Expected results: NC should succeed on both test cases. Additional info: