Created attachment 814958 [details]
Output of 'ipsec barf'
Description of problem:
When 384 or 512 bit SHA2 IKE encryption/authentication algorithm is used, pluto keeps aborting on responder machine. With 256 bit SHA2 it works fine.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup initiator and responder as follows (ipsec.conf):
ike=aes128-sha2_512 # (or sha2_384)
2. Start ipsec on both initiator and responder (service ipsec start)
3. Initiate connection from initiator (ipsec auto --up test)
4. See /var/log/messages on responder.
Connection does not work.
002 added connection description "test"
ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 19521 Aborted (core dumped) /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-lifecycle --use-netkey --uniqueids --nat_traversal --virtual_private oe=off
ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6)
ipsec__plutorun: restarting IPsec after pause...
This is *not* a regression in 6.5 from 6.4, in happens in openswan-2.6.32-21.el6_4 as well. In FIPS mode it does not work as well. Output of 'ipsec barf' from responder is attached.
May be I am just not configuring it correctly, where can I find the list of suitable options for ike=? Man page ipsec.conf(5) says: "...The options must be suitable as a value of ipsec_spi(8)´s --ike option.", but there is not ike option mentioned in ipsec_spi(8).
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.