| Summary: | Openswan problem with ikev2 options | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> |
| Component: | openswan | Assignee: | Paul Wouters <pwouters> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.1 | CC: | amarecek, eparis, omoris |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-11 19:17:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Since RHEL 6.3 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. I'm not sure if this is a bug.
You are adding two connections for which the policy is basically the same as the wire policies are involved, if I rewrite your test case:
conn test-insist
ikev2=insist
also=base
conn test-yes
ikev2=yes
also=base
conn base
left=192.168.122.212
right=192.168.122.179
auto=add
authby=secret
type=transport
ike=aes256-md5
phase2=esp
Assume the order of loading all connections is semi-random. What should we do?
Ideally, those two connections should never be able to both get loaded. But even if we managed to reject the slowest loading one, it is not guaranteed that the same one would get rejected every time to start libreswan.
|
Description of problem: Problem with ikev2 option. If I run a test case with ikev2=yes option required on both sides the funcionality is ok. But if I add another connection to ipsec.conf with required ikev2=insist on both sides, this test case fail (If I run test with ikev2=insist only, the funcionality is ok). If i first run test case with required ikev2=insist on both sides, it works fine. If I add second connection with ikev2=yes to ipsec.conf and then try the funcionality, test case fail. Version-Release number of selected component (if applicable): openswan-2.6.32-6.el6 How reproducible: always Steps to Reproduce: 1.To ipsec.conf add (on both sides) conn ike_yes left=192.168.122.212 right=192.168.122.179 auto=add authby=secret type=transport ike=aes256-md5 ikev2=yes phase2=esp Then run (on both sides): ip xfrm state flush ip xfrm policy flush service ipsec restart && sleep 5 ipsec auto --route ike_yes On 192.168.122.212 run: nc 192.168.122.212 -l 6000 On 192.168.122.179 run: echo 'Hi' | nc -w 10 -v 192.168.122.212 6000 2.Add second connection to ipsec.conf (On both sides): conn ike_insist left=192.168.122.212 right=192.168.122.179 auto=add authby=secret type=transport ike=aes256-md5 ikev2=insist phase2=esp Then run (on both sides): ip xfrm state flush ip xfrm policy flush service ipsec restart && sleep 5 ipsec auto --route ike_insist On 192.168.122.212 run: nc 192.168.122.212 -l 6000 On 192.168.122.179 run: echo 'Hi' | nc -w 10 -v 192.168.122.212 6000 Actual results: NC succeed in first test case. In second test case NC fail (NC output is nc: connect to rhel61-clone port 6000 (tcp) timed out: Operation now in progress) Expected results: NC should succeed on both test cases. Additional info: