Bug 1375776 - [IKEv2 Conformance] Test IKEv2.EN.R.1.2.2.1: Receipt of retransmitted CREATE_CHILD_SA reques failed
Summary: [IKEv2 Conformance] Test IKEv2.EN.R.1.2.2.1: Receipt of retransmitted CREATE...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Jianwen Ji
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-14 02:40 UTC by Jianwen Ji
Modified: 2019-10-18 07:21 UTC (History)
4 users (show)

Fixed In Version: libreswan-3.23-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 17:22:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
libreswan-3.15-6.pcap (6.17 KB, application/octet-stream)
2016-09-14 02:40 UTC, Jianwen Ji 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0932 0 None None None 2018-04-10 17:23:18 UTC

Description Jianwen Ji 2016-09-14 02:40:54 UTC 
Created attachment 1200717 [details]
libreswan-3.15-6.pcap

Test case link:
Test IKEv2.EN.R.1.2.2.1, Page 458 at
https://www.ipv6ready.org/docs/Phase2_IKEv2_Conformance_Latest.pdf

Purpose: 
To verify an IKEv2 device retransmits CREA TE_CHILD_SA request using properly Header and Payloads format 

References: 
[RFC 4306] - Sections 2.1, 2.2 and 2.4 

   NUT             TN1 
(End-Node)      (End-Node) 
 |             | 
 |<------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) 
 |             | (Packet #1) 
 |------------>| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
 |             | (Judgment #1) 
 |             | 
 |<------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr}) 
 |             | (Packet #2) 
 |------------>| IKE_AUTH response (HDR, SK {IDr, AUTH, N+, SAr2, TSi, TSr}) 
 |             | (Judgment #2) 
 |             | 
 |<------------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr}) 
 |             | (Packet #3) 
 |------------>| CREATE_CHILD_SA response (HDR, SK {N, N+, SA, Nr, TSi,TSr})    
 |             | (Judgment #3) 
 |             | 
 |             * wait until retrans timer expires 
 |-------X     | CREATE_CHILD_SA response (HDR, SK {N, N+, SA, Nr, TSi, TSr}) 
 |             | (Judgment #4) 
 |             | 
 |<------------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr}) 
 |             | (Packet #4) 
 |------------>| CREATE_CHILD_SA response (HDR, SK {N, N+, SA, Nr, TSi, TSr}) 
 |             | (Judgment #5) 
 |             | 
 V             V 
N: REKEY_SA 
N+: USE_TRANSPORT_MODE 

Version-Release number of selected component (if applicable):
libreswan-3.15-6.el7.x86_64

How reproducible:
always


Actual results:
Failed at Judgement #5

During the test, the device successfully completes the IKE_SA_INIT and IKE_AUTH exchanges. After receiving the retransmitted CREATE_CHILD_SA request, the device transmits a IKE_SA_INIT response.

Expected results:
The device should have only retransmitted a CREATE_CHILD_SA response after
receiving a retransmitted CREATE_CHILD_SA request.

Additional info:
Comment 25 Ondrej Moriš 2018-01-28 13:14:44 UTC 
Jianwen, is it possible to re-test this with latest version of libreswan (libreswan-3.23-1.el7)?
Comment 27 Paul Wouters 2018-01-29 15:54:59 UTC 
thanks for testing!
Comment 30 errata-xmlrpc 2018-04-10 17:22:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0932
Comment 31 stan pao 2019-10-18 07:20:59 UTC 
sorry to comment again. this bug only happens under ipv6?
Note You need to log in before you can comment on or make changes to this bug.