Description of problem: When having ipsecv6 tests for the software gateway mode,we found that TN received echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT) in some scenarios. Version-Release number of selected component (if applicable): kernel-2.6.18-43.el5 Software Environment: Testee(NUT): RHEL5 Kernel:2.6.18-43.el5 Tester(TN): FreeBSD6.2 v6eval-3.0.12.tar.gz TAHI package: IPsec_Self_Test_P2_1-1-1.tar.gz How reproducible: every time Steps to Reproduce: 1. Configure TAHI test environment. 2. Run the TAHI test suite 3. After the test completes, check for the results Actual results: TN should receive no echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT) Expected results: TN received echo request from HOST-4(TN) to HOST-1(TN) via SGW(NUT) Additional info: please refer to http://focus.brisbane.redhat.com/~zwu/ipsec_sgw/20071022/IPsec_Self_Test_P2_1-1-1_sgw/ipsec.p2/index.html (1) 11 6.1.9 Discard, ESP=3DES-CBC HMAC-SHA1
Also about it: when NUT is set to the host mode, pls refer to the url below: http://focus.brisbane.redhat.com/~zwu/ipsec_endnode/20071028/IPsec_Self_Test_P2_1-1-1_end_node/ipsec.p2/index.html (1) 9 5.1.7 Discard, ESP=3DES-CBC HMAC-SHA1
the test case still FAIL On RHEL5.2 for more details, pls refer to http://focus.brisbane.redhat.com/~zwu/RHEL5.2-Server-20080212.0/20080220/IPsec_Self_Test_P2_1-1-2_end_node/ipsec.p2/9.html
Created attachment 304614 [details] the test result about ipsec Discard, ESP=3DES-CBC HMAC-SHA1, this is the test for RHEL520430 ipsec-tools-0.6.5-9.el5 kernel 2.6.18-92.el5 on an i686
Thomas, Is the discard policy support in the kernel? Discard, ESP=3DES-CBC HMAC-SHA1
Yes, although it is blocked not discarded. This test fails because the command invoked to configure the discard policy does not succeed due to a syntax error in the selector. It's a bug in either ipsec-tools or the test script.
Thanks Thomas. Moving to ipsec-tools based on Comment #8 for further review. FYI. Discard is one of the required option in IPSec conformance.
Created attachment 304833 [details] ps format result the test result about ipsec Discard, ESP=3DES-CBC HMAC-SHA1, this is the test for RHEL520430 ipsec-tools-0.6.5-9.el5 kernel 2.6.18-92.el5 on an i686
Adding yshao to the cc list as the manager of the disabled user zwu who reported this bug
This is a bug in the test scripts. The spdadd any any any -P in discard command to setkey is wrong. The correct specification of any IPv6 address is ::/0 thus the command should be: spdadd ::/0 ::/0 any -P in discard For any IPv4 address you should use 0.0.0.0/0 Note that the discard means the packets will be discarded so the machine will not be reachable over network anymore so I am curious how are these test scripts supposed to work.