Bug 1574939 - IKEv2 VPN connections fail to use DNS servers provided by the server
Summary: IKEv2 VPN connections fail to use DNS servers provided by the server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: strongswan
Version: 28
Hardware: All
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Pavel Šimerda
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1564529 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-04 11:47 UTC by Marian Kechlibar
Modified: 2018-10-06 05:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-06 05:26:46 UTC
Type: Bug


Attachments (Terms of Use)

Description Marian Kechlibar 2018-05-04 11:47:43 UTC
Fedora 28, strongswan-5.6.2-2.

Upon connecting to a IKEv2 VPN gateway, charon-nm fails to parse the provided DNS addresses correctly and fills in random garbage. As a result, no server names in the private network can be resolved.

This is a known problem fixed by a specific patch in the 5.6.2 version, but the patch seems to be forgotten/omitted during build of the Fedora RPM.

The following one-liner should fix the problem.

https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ee8c2551

Comment 1 Pavel Šimerda 2018-05-04 12:00:45 UTC
(In reply to Marian Kechlibar from comment #0)
> the patch seems to be forgotten/omitted during build of the Fedora RPM.

What do you mean by forgotten/omitted during build?

Comment 2 Marian Kechlibar 2018-05-04 12:03:17 UTC
(In reply to Pavel (pavlix) Šimerda from comment #1)
> (In reply to Marian Kechlibar from comment #0)
> > the patch seems to be forgotten/omitted during build of the Fedora RPM.
> 
> What do you mean by forgotten/omitted during build?

I mean that charon-nm behaves exactly as expected if the patch was not there. I haven't checked the actual Fedora sources, though. I definitely did not mean to attribute any guilt to anyone or so.

BTW Ubuntu 18.04 has precisely the same problem. In Debian the RPM was already patched.

Comment 3 Pavel Šimerda 2018-05-04 12:06:08 UTC
No problem.

Comment 4 Assen Totin 2018-05-08 22:34:14 UTC
Absolutely confirming the bug. After F27->F28 upgrade all previously working IPSec VPNs are broken this very way. Why is this big still "NEW"? When to expect a fix?

Comment 5 Marian Kechlibar 2018-05-09 08:11:13 UTC
I was able to fix the problem on my computer by downloading the source RPM, extracting it, patching the faulty line (it is indeed a one-liner), recompiling the RPM from the patched source and reinstalling the patched package. That is beyond a typical user's ability, though.

Pavlix asked me to join a special IIRC channel and submit a Pull request, I will do so when I find the necessary time, probably tomorrow.

Comment 6 Mirek Svoboda 2018-05-25 07:16:20 UTC
*** Bug 1564529 has been marked as a duplicate of this bug. ***

Comment 7 Mirek Svoboda 2018-05-25 07:28:42 UTC
I confirm that the build [strongswan-5.6.2-6.fc28](https://bodhi.fedoraproject.org/updates/FEDORA-2018-3731a89e20) fixes this issue.

Comment 8 Mikhail Zabaluev 2018-10-06 05:26:46 UTC
Fixed since strongswan-5.6.2-6.


Note You need to log in before you can comment on or make changes to this bug.