Hide Forgot
+++ This bug was initially created as a clone of Bug #1324421 +++ Description of problem: Test case Link: IKEv2.EN.I.1.1.10.1 Part C, page 168, https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf NUT - Node Under Test TN - Test Node Purpose: To verify an IKEv2 device handles CERTREQ payload and transmits CERT payload properly References: [RFC 4306] - Sections 1.2 and 3.8 Procedure: NUT TN1 | | |------------>| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Judgement #1) |<------------| IKE_SA_INIT response (HDR, SAr1, KEr, Nr, CERTREQ) | | (Packet #1) | | |------------>| IKE_AUTH request (HDR, SK {IDi, CERT, AUT H, N, SAi2, TSi, TSr}) | | (Judgement #2) | | V V N: USE_TRANSPORT_MODE Expected Result: Judgment #1 The NUT transmits an IKE_SA_INIT request including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H Group 2" as proposed algorithms. Judgment #2 The NUT transmits an IKE_AUTH request. The request includes an ID payload with ID_RFC822_ADDR and a CERT payload which contains 4 (X.509 Certificate - Signature) as Certificate Encoding and the NUT’s certificate as Certificate Data. Actual Result: We failed at Judgement #2, the IKE_AUTH request should include an ID payload with ID_RFC822_ADDR(3), but include DER_ASN1_DN (9) By the way, this test case can pass on RHEL-7.2 with libreswan 3.12-10.1.el7_1 Version-Release number of selected component (if applicable): libreswan-3.15-6.el7.x86_64 How reproducible: Always Additional info: version 2.0 # conforms to second version of ipsec.conf specification My configuration example: /etc/ipsec.conf # basic configuration config setup protostack=netkey plutodebug="all crypt" plutostderrlog="/tmp/pluto.log" conn ikev2 left=3000::215:17ff:fe37:13cc right=3001::200:10ff:fe10:1180 leftid="nut" rightid=3001::200:10ff:fe10:1180 authby=rsasig leftrsasigkey=%cert leftcert="NUT - IOL" rightrsasigkey=%cert rightcert="iolintact - IOL" type=transport ikev2=insist ike=3des-sha1;modp1024 phase2=esp phase2alg=3des-sha1 auto=start connaddrfamily=ipv6
*** This bug has been marked as a duplicate of bug 1324421 ***