1028369 – libreswan doesn't recognize the loopback option

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1028369 - libreswan doesn't recognize the loopback option

Summary: libreswan doesn't recognize the loopback option

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	7.0
Assignee:	Paul Wouters
QA Contact:	Aleš Mareček
Docs Contact:
URL:
Whiteboard:
Depends On:	833910
Blocks:	RHEL7CCC
TreeView+	depends on / blocked

Reported:	2013-11-08 10:02 UTC by Aleš Mareček
Modified:	2014-06-18 08:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libreswan-3.8-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	833910
Environment:
Last Closed:	2014-06-13 10:42:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Aleš Mareček 2013-11-08 10:02:26 UTC

+++ This bug was initially created as a clone of Bug #833910 +++

Description of problem:
It seems that openswan doesn't recognize option "loopback" in RHEL-7.
$ service ipsec start
failed to start openswan IKE daemon - the following error occured:
can not load config '/etc/ipsec.conf': /etc/ipsec.conf:17: syntax error, unexpected STRING [loopback]
$ head -17 /etc/ipsec.conf | tail -1
        loopback=yes


Version-Release number of selected component (if applicable):
openswan-2.6.37-3.el7

How reproducible:
Always

Steps to Reproduce:
1. Run the beaker test: /CoreOS/openswan/Regression/bz711975-incomplete-policy-for-loopback-when-using
NOTE: There is also ipsec.conf included
  
Actual results:
FAIL

Expected results:
PASS (loopback option work in RHEL-6)

Additional info:

Comment 2 Paul Wouters 2014-01-16 09:03:09 UTC

This works fine in libreswan. Can this be closed as notabug?

[root@rhel7a ~]# cat /etc/ipsec.conf 

config setup
        protostack=netkey
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
	plutostderrlog=/tmp/pluto.log
	secctx_attr_value=32001
	plutodebug=all

conn test
	left=%defaultroute
	right=1.2.3.4

[root@rhel7a ~]# ipsec auto --add test
[root@rhel7a ~]# ipsec status |grep loopback
000 "test":   labeled_ipsec:no, loopback:yes;

Comment 4 Ondrej Moriš 2014-01-21 15:29:47 UTC

(In reply to Paul Wouters from comment #2)
> This works fine in libreswan. Can this be closed as notabug?
> 
> [root@rhel7a ~]# cat /etc/ipsec.conf 
> 
> config setup
>         protostack=netkey
>         dumpdir=/var/run/pluto/
>         nat_traversal=yes
>        
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.
> 0.0/8,%v6:fd00::/8,%v6:fe80::/10
> 	plutostderrlog=/tmp/pluto.log
> 	secctx_attr_value=32001
> 	plutodebug=all
> 
> conn test
> 	left=%defaultroute
> 	right=1.2.3.4
> 
> [root@rhel7a ~]# ipsec auto --add test
> [root@rhel7a ~]# ipsec status |grep loopback
> 000 "test":   labeled_ipsec:no, loopback:yes;

And is that connection work for you? 

I am currently testing labeled ipsec in mls on loopback, but it does not work even if I disable labeling, ie:

# echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
# echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy
# ip xfrm state flush && ip xfrm policy flush
# cat /etc/ipsec.conf
...
config setup
        protostack=netkey
        nat_traversal=yes
        plutostderrlog=/var/log/pluto.log
        secctx_attr_value=32001

conn test1-1-ipv4
        auto=route
        rekey=no
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=3des-sha1
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes
        #labeled_ipsec=yes
        #policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
        leftprotoport=tcp/4300
        rightprotoport=tcp

conn test1-2-ipv4
        auto=route
        rekey=no
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=3des-sha1
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes
        #labeled_ipsec=yes
        #policy_label=system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023
        leftprotoport=tcp
        rightprotoport=tcp/4300

# service ipsec restart

# nc -vvv -l 127.0.0.1 4300
Ncat: Version 6.40 ( http://nmap.org/ncat )
NCAT DEBUG: Initialized fdlist with 102 maxfds
Ncat: Listening on 127.0.0.1:4300
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
NCAT DEBUG: Added fd 0 to list, nfds 2, maxfd 3
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 3
^C
# nc 127.0.0.1 4300 -vvv
Ncat: Version 6.40 ( http://nmap.org/ncat )
libnsock nsi_new2(): nsi_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 127.0.0.1:4300 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT ERROR [Connection timed out (110)] for EID 8 [127.0.0.1:4300]
Ncat: Connection timed out.

# ipsec barf
...
Jan 21 16:24:41 cc-toe1 pluto[5316]: initiate on demand from 127.0.0.1:0 to 127.0.0.1:4300 proto=6 state: fos_start because: acquire
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-2-ipv4" #5: initiating Quick Mode PSK+ENCRYPT+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using isakmp#2 msgid:3eb04dd7 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-2-ipv4" #1: the peer proposed: 127.0.0.1/32:6/0 -> 127.0.0.1/32:6/4300
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6: responding to Quick Mode proposal {msgid:3eb04dd7}
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6:     us: 127.0.0.1<127.0.0.1>:6/4300
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6:   them: 127.0.0.1<127.0.0.1>:6/0
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6: keeping refhim=0 during rekey
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-2-ipv4" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-2-ipv4" #5: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x069495af <0x40612a72 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 16:24:41 cc-toe1 pluto[5316]: "test1-1-ipv4" #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x40612a72 <0x069495af xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 16:24:42 cc-toe1 pluto[5316]: initiate on demand from 127.0.0.1:57804 to 127.0.0.1:4300 proto=6 state: fos_start because: acquire
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-2-ipv4" #7: initiating Quick Mode PSK+ENCRYPT+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using isakmp#2 msgid:466b9e6b proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-2-ipv4" #1: the peer proposed: 127.0.0.1/32:6/0 -> 127.0.0.1/32:6/4300
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8: responding to Quick Mode proposal {msgid:466b9e6b}
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8:     us: 127.0.0.1<127.0.0.1>:6/4300
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8:   them: 127.0.0.1<127.0.0.1>:6/0
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8: keeping refhim=0 during rekey
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-2-ipv4" #7: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-2-ipv4" #7: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xf876bce3 <0x34c53215 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 16:24:42 cc-toe1 pluto[5316]: "test1-1-ipv4" #8: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x34c53215 <0xf876bce3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
+ _________________________ date
+ date
Tue Jan 21 16:25:27 CET 2014

It seems that tunnel has been established, but nc timed out. If a non-secured port is used, it works fine:

# nc -vvv -l 127.0.0.1 5300
Ncat: Version 6.40 ( http://nmap.org/ncat )
NCAT DEBUG: Initialized fdlist with 102 maxfds
Ncat: Listening on 127.0.0.1:5300
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
NCAT DEBUG: Added fd 0 to list, nfds 2, maxfd 3
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 3
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 3 is ready
Ncat: Connection from 127.0.0.1.
NCAT DEBUG: Swapping fd[0] (3) with fd[1] (0)
NCAT DEBUG: Removed fd 3 from list, nfds 1, maxfd 0
Ncat: Connection from 127.0.0.1:35638.
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 4 to list, nfds 1, maxfd 4
NCAT DEBUG: selecting, fdmax 4
test
NCAT DEBUG: selecting, fdmax 4
NCAT DEBUG: select returned 1 fds ready
NCAT DEBUG: fd 4 is ready
NCAT DEBUG: Closing connection.
NCAT DEBUG: Swapping fd[1] (4) with fd[1] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 1, maxfd 0
NCAT DEBUG: Swapping fd[0] (4) with fd[0] (4)
NCAT DEBUG: Removed fd 4 from list, nfds 0, maxfd -1

# nc 127.0.0.1 5300 -vvv
Ncat: Version 6.40 ( http://nmap.org/ncat )
libnsock nsi_new2(): nsi_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 127.0.0.1:5300 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.1:5300]
Ncat: Connected to 127.0.0.1:5300.
libnsock nsi_new2(): nsi_new (IOD #2)
libnsock nsock_read(): Read request from IOD #1 [127.0.0.1:5300] (timeout: -1ms) EID 18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
test
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): test.
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [127.0.0.1:5300]
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42
^C

Comment 5 Aleš Mareček 2014-01-21 16:09:23 UTC

And not for me, here is the full log:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: General Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

libreswan-3.8-1.el7.ppc64
:: [   PASS   ] :: Checking for the presence of libreswan rpm 
:: [ 10:56:47 ] ::  Package versions:
:: [ 10:56:47 ] ::    libreswan-3.8-1.el7.ppc64
Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: inactive (dead) since Tue 2014-01-21 10:56:10 EST; 36s ago
  Process: 29232 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 29227 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 29225 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 29118 ExecStart=/bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
  Process: 29056 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 29054 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 29118 (code=exited, status=0/SUCCESS)

Jan 21 10:55:59 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[29121]: | entering aalg_getbyname_ike()
/usr/sbin/tcpdump
/usr/bin/nc
:: [   PASS   ] :: File /etc/ipsec.conf should exist 
:: [   PASS   ] :: File /etc/ipsec.secrets should exist 
:: [   PASS   ] :: Running 'echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm' (Expected 0, got 0)
:: [   PASS   ] :: Running 'echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy' (Expected 0, got 0)
:: [   PASS   ] :: Running 'restorecon -Rv /etc/' (Expected 0, got 0)
:: [   PASS   ] :: Running 'ip xfrm state flush' (Expected 0, got 0)
:: [   PASS   ] :: Running 'systemctl enable ipsec.service' (Expected 0, got 0)
:: [ 10:56:48 ] :: [ INFO    ] :: Config files
====== CONFIG file '/etc/ipsec.conf' ======


config setup
    protostack=netkey
    nat_traversal=yes
    plutostderrlog=/var/log/pluto.log

conn TestA
        auto=add
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=3des-sha1
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes
        leftprotoport=tcp/6000
        rightprotoport=tcp

conn TestB
        auto=add
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=3des-sha1
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes
        leftprotoport=tcp
        rightprotoport=tcp/6000

====== CONFIG file '/etc/ipsec.secrets' ======
: PSK "whatever"


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Loopback test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: inactive (dead) since Tue 2014-01-21 10:56:10 EST; 37s ago
 Main PID: 29118 (code=exited, status=0/SUCCESS)

Jan 21 10:55:59 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[29121]: | entering aalg_getbyname_ike()
Redirecting to /bin/systemctl start  ipsec.service
000 "TestA":   labeled_ipsec:no, loopback:yes; 
000 "TestA":   labeled_ipsec:no, loopback:yes; 
000 "TestB":   labeled_ipsec:no, loopback:yes; 
000 "TestB":   labeled_ipsec:no, loopback:yes; 
:: [   PASS   ] :: TEST: loopback enabled (Expected 0, got 0)
Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: active (running) since Tue 2014-01-21 10:56:49 EST; 3s ago
  Process: 29710 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 29707 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 29772 (sh)
   CGroup: /system.slice/ipsec.service
           ├─29772 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`
           ├─29774 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`
           ├─29775 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─29808 _pluto_adns

Jan 21 10:56:49 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[29775]: adding interface eth0/eth0 fec0:0:a10:4000:e61f:13ff:fe8e:c144:500
Redirecting to /bin/systemctl stop  ipsec.service

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Loopback test - TestA
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: inactive (dead) since Tue 2014-01-21 10:56:52 EST; 2s ago
  Process: 29860 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 29857 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 29854 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 29772 ExecStart=/bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
  Process: 29710 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 29707 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 29772 (code=exited, status=0/SUCCESS)

Jan 21 10:56:50 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[29775]: added connection description "TestB"
Redirecting to /bin/systemctl start  ipsec.service
104 "TestA" #1: STATE_MAIN_I1: initiate
003 "TestA" #1: received Vendor ID payload [Dead Peer Detection]
003 "TestA" #1: received Vendor ID payload [FRAGMENTATION]
003 "TestA" #1: received Vendor ID payload [RFC 3947]
106 "TestA" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "TestA" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "TestA" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "TestA" #1: received Vendor ID payload [CAN-IKEv2]
004 "TestA" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "TestA" #3: STATE_QUICK_I1: initiate
004 "TestA" #3: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xf2c58569 <0x0d2c2053 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
:: [   PASS   ] :: Running 'ipsec auto --up TestA' (Expected 0, got 0)
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
:: [   PASS   ] :: Running 'ip xfrm state >state-xfrm.log' (Expected 0, got 0)
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connection timed out.
./runtest.sh: line 124: 30039 Stack fault             nc -l 127.0.0.1 ${_TCP_PORT} > ${_TCP_LOG} 2>&1
./runtest.sh: line 124: 30037 Stack fault             tcpdump -vv -e -nn -i lo ip "proto 50" -U -w ${_LOOPBACK_LOG}
:: [   FAIL   ] :: File 'tcp-port-6000.log' should contain 'Hi' 
reading from file loopback-tcpdump.log, link-type EN10MB (Ethernet)
:: [   PASS   ] :: ESP packets transported via loopback found (Assert: "2" should be greater than "0")
:: [   PASS   ] :: Running 'ipsec auto --down TestA' (Expected 0, got 0)
Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: active (running) since Tue 2014-01-21 10:56:54 EST; 18s ago
  Process: 29860 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 29857 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 29854 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 29906 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 29903 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 29968 (sh)
   CGroup: /system.slice/ipsec.service
           ├─29968 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`
           ├─29970 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`
           ├─29971 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─30004 _pluto_adns

Jan 21 10:57:11 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[29971]: "TestB" #2: received Delete SA(0x0d2c2053) payload: deleting IPSEC State #4
Redirecting to /bin/systemctl stop  ipsec.service
:: [ 10:57:15 ] :: [ INFO    ] :: Log files
====== State log ======
src 127.0.0.1 dst 127.0.0.1
	proto esp spi 0x0d2c2053 reqid 16385 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0x6517b94b09083c3761ebe3851d2525ace543beea 96
	enc cbc(aes) 0x0fd498b9c3112d81968c0db541acf49fd6d2999cea7b870a0a378f61de15ad38
	sel src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp dport 6000 
src 127.0.0.1 dst 127.0.0.1
	proto esp spi 0xf2c58569 reqid 16389 mode transport
	replay-window 0 
	sel src 127.0.0.1/32 dst 127.0.0.1/32 

====== TCP log ======

====== Loopback log ======
reading from file loopback-tcpdump.log, link-type EN10MB (Ethernet)
10:57:06.103567 IP localhost > localhost: ESP(spi=0x0d2c2053,seq=0x1), length 84
10:57:07.096848 IP localhost > localhost: ESP(spi=0x10061105,seq=0x1), length 84

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Loopback test - TestB
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: inactive (dead) since Tue 2014-01-21 10:57:13 EST; 2s ago
  Process: 30122 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 30119 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 30112 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 29968 ExecStart=/bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
  Process: 29906 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 29903 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 29968 (code=exited, status=0/SUCCESS)

Jan 21 10:57:11 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[29971]: packet from 127.0.0.1:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x173d304e
Redirecting to /bin/systemctl start  ipsec.service
104 "TestB" #1: STATE_MAIN_I1: initiate
003 "TestB" #1: received Vendor ID payload [Dead Peer Detection]
003 "TestB" #1: received Vendor ID payload [FRAGMENTATION]
003 "TestB" #1: received Vendor ID payload [RFC 3947]
106 "TestB" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "TestB" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "TestB" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "TestB" #1: received Vendor ID payload [CAN-IKEv2]
004 "TestB" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "TestB" #3: STATE_QUICK_I1: initiate
004 "TestB" #3: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x19e945a4 <0x49df6ed7 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
:: [   PASS   ] :: Running 'ipsec auto --up TestB' (Expected 0, got 0)
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
:: [   PASS   ] :: Running 'ip xfrm state >state-xfrm.log' (Expected 0, got 0)
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connection timed out.
./runtest.sh: line 124: 30308 Stack fault             nc -l 127.0.0.1 ${_TCP_PORT} > ${_TCP_LOG} 2>&1
./runtest.sh: line 124: 30306 Stack fault             tcpdump -vv -e -nn -i lo ip "proto 50" -U -w ${_LOOPBACK_LOG}
:: [   FAIL   ] :: File 'tcp-port-6000.log' should contain 'Hi' 
reading from file loopback-tcpdump.log, link-type EN10MB (Ethernet)
:: [   FAIL   ] :: ESP packets transported via loopback found (Assert: "0" should be greater than "0")
:: [   PASS   ] :: Running 'ipsec auto --down TestB' (Expected 0, got 0)
Redirecting to /bin/systemctl status  ipsec.service
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: active (running) since Tue 2014-01-21 10:57:16 EST; 18s ago
  Process: 30122 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 30119 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 30112 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 30175 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 30172 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 30237 (sh)
   CGroup: /system.slice/ipsec.service
           ├─30237 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`
           ├─30239 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`
           ├─30240 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─30273 _pluto_adns

Jan 21 10:57:32 ibm-p730-03-lp2.rhts.eng.bos.redhat.com pluto[30240]: "TestB" #3: deleting state (STATE_QUICK_I2)
Redirecting to /bin/systemctl stop  ipsec.service
:: [ 10:57:36 ] :: [ INFO    ] :: Log files
====== State log ======
src 127.0.0.1 dst 127.0.0.1
	proto esp spi 0x49df6ed7 reqid 16389 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0xe2378d7296ab5660256a443a2e03a847b14f7e18 96
	enc cbc(aes) 0xbe5166992cefb9d14be3c51e173bec2463f7b1acc290d5382425f2517e724e5b
	sel src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp sport 6000 
src 127.0.0.1 dst 127.0.0.1
	proto esp spi 0x19e945a4 reqid 16385 mode transport
	replay-window 0 
	sel src 127.0.0.1/32 dst 127.0.0.1/32 

====== TCP log ======

====== Loopback log ======
reading from file loopback-tcpdump.log, link-type EN10MB (Ethernet)

Comment 6 Paul Wouters 2014-01-21 22:22:59 UTC

On this last run it _does_ recognise the loopback option, and the SA establishes.

But you are not seeing the traffic flow properly. Could this be related to https://bugzilla.redhat.com/show_bug.cgi?id=986065

that showed a fix and then regression again. Can you try with kernel-3.10.0-55.el7 ? (not newer and not older kernels)

Comment 7 Ondrej Moriš 2014-01-22 13:43:42 UTC

It looks like it is not working for some time now, I have tried even kernel-3.10.0-55.el7 and it is still broken there. It would be the best to close this bug as verified since the issue reported here is definitely fixed now. The new issue is tracked separately - Bug 1056559.

Comment 9 Ludek Smid 2014-06-13 10:42:20 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.