Bug 1021961 - pluto abort when using SHA2_{384,512} IKE encryption algorithm
Summary: pluto abort when using SHA2_{384,512} IKE encryption algorithm
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
(Show other bugs)
Version: 6.5
Hardware: All Linux
medium
high
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-22 12:21 UTC by Ondrej Moriš
Modified: 2014-10-14 08:18 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 08:18:58 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Output of 'ipsec barf' (57.25 KB, text/plain)
2013-10-22 12:21 UTC, Ondrej Moriš 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1588 normal SHIPPED_LIVE openswan bug fix and enhancement update 2014-10-14 01:39:53 UTC

Description Ondrej Moriš 2013-10-22 12:21:05 UTC 
Created attachment 814958 [details]
Output of 'ipsec barf'

Description of problem:

When 384 or 512 bit SHA2 IKE encryption/authentication algorithm is used, pluto keeps aborting on responder machine. With 256 bit SHA2 it works fine.

Version-Release number of selected component (if applicable):

openswan-2.6.32-27.el6

How reproducible:

100%

Steps to Reproduce:

1. Setup initiator and responder as follows (ipsec.conf):

   version 2.0

   config setup
     plutodebug="lifecycle"
     protostack=netkey
     nat_traversal=yes
     virtual_private=
     oe=off

   conn test
     authby=secret
     type=transport
     left=<initiator>
      right=<responder
      ike=aes128-sha2_512 # (or sha2_384)
      esp=3des-sha1
      ikev2=insist 
      auto=add

2. Start ipsec on both initiator and responder (service ipsec start)

3. Initiate connection from initiator (ipsec auto --up test)

4. See /var/log/messages on responder.

Actual results:

Connection does not work.

Responder (/var/log/messages):

002 added connection description "test"
ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 19521 Aborted                 (core dumped) /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-lifecycle --use-netkey --uniqueids --nat_traversal --virtual_private oe=off
ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)
ipsec__plutorun: restarting IPsec after pause...
...
(and repeating)

Expected results:

Connection successful. 

Additional info:

This is *not* a regression in 6.5 from 6.4, in happens in openswan-2.6.32-21.el6_4 as well. In FIPS mode it does not work as well. Output of 'ipsec barf' from responder is attached.
Comment 1 Ondrej Moriš 2013-10-22 12:31:16 UTC 
May be I am just not configuring it correctly, where can I find the list of suitable options for ike=? Man page ipsec.conf(5) says: "...The options must be suitable as a value of ipsec_spi(8)´s --ike option.", but there is not ike option mentioned in ipsec_spi(8).
Comment 4 errata-xmlrpc 2014-10-14 08:18:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1588.html
Note You need to log in before you can comment on or make changes to this bug.