Bug 1375406 - libreswan works not well when setting leftid field to be email address [RHEL7]
Summary: libreswan works not well when setting leftid field to be email address [RHEL7]
Keywords:
Status: CLOSED DUPLICATE of bug 1324421
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Jianwen Ji
URL:
Whiteboard:
Depends On: 1324421
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-13 03:17 UTC by Jianwen Ji
Modified: 2018-02-05 12:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1324421
Environment:
Last Closed: 2018-02-05 12:01:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jianwen Ji 2016-09-13 03:17:28 UTC 
+++ This bug was initially created as a clone of Bug #1324421 +++

Description of problem:

Test case Link:
IKEv2.EN.I.1.1.10.1 Part C, page 168, https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf

NUT - Node Under Test
TN  - Test Node

Purpose: 
    To verify an IKEv2 device handles CERTREQ payload and transmits CERT payload properly

References: 
    [RFC 4306] - Sections 1.2 and 3.8

Procedure:

   NUT             TN1  
    |             | 
    |------------>| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) 
    |             | (Judgement #1) 
    |<------------| IKE_SA_INIT response (HDR, SAr1, KEr, Nr, CERTREQ) 
    |             | (Packet #1) 
    |             | 
    |------------>| IKE_AUTH request (HDR, SK {IDi, CERT, AUT
H, N, SAi2, TSi, TSr}) 
    |             | (Judgement #2) 
    |             | 
    V             V 
N: USE_TRANSPORT_MODE  

Expected Result:
Judgment #1 
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H Group 2" as proposed 
algorithms. 

Judgment #2 
The NUT transmits an IKE_AUTH request. The request includes an ID payload with 
ID_RFC822_ADDR and a CERT payload which contains 4 (X.509 Certificate - Signature) as Certificate Encoding and the NUT’s certificate as Certificate Data. 

Actual Result:

We failed at Judgement #2, the IKE_AUTH request should include an ID payload with ID_RFC822_ADDR(3), but include DER_ASN1_DN (9)

By the way, this test case can pass on RHEL-7.2 with libreswan 3.12-10.1.el7_1

Version-Release number of selected component (if applicable):
libreswan-3.15-6.el7.x86_64

How reproducible:
Always

Additional info:
version 2.0     # conforms to second version of ipsec.conf specification

My configuration example: 

/etc/ipsec.conf
# basic configuration
config setup
        protostack=netkey
        plutodebug="all crypt"
        plutostderrlog="/tmp/pluto.log"
conn ikev2
        left=3000::215:17ff:fe37:13cc
        right=3001::200:10ff:fe10:1180
        leftid="nut"
        rightid=3001::200:10ff:fe10:1180
        authby=rsasig
        leftrsasigkey=%cert
        leftcert="NUT - IOL"
        rightrsasigkey=%cert
        rightcert="iolintact - IOL"
        type=transport
        ikev2=insist
        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1
        auto=start
        connaddrfamily=ipv6
Comment 2 Ondrej Moriš 2018-02-05 12:01:26 UTC 

*** This bug has been marked as a duplicate of bug 1324421 ***
Note You need to log in before you can comment on or make changes to this bug.