=Comment: #0================================================= TYLER C. HICKS <tchicks.com> - 2008-04-17 15:02 EDT ---Problem Description--- openswan doesn't recognize null authentication algorithm for esp (phase2alg=ENC-null). Contact Information = Tyler Hicks <tyhicks.ibm.com> ---uname output--- Linux eal5.ltc.austin.ibm.com 2.6.18-88.el5 #1 SMP Tue Apr 1 19:01:20 EDT 2008 i686 i686 i386 GNU/Linux Machine Type = Xseries 335 ---Debugger--- A debugger is not configured ---Steps to Reproduce--- /etc/ipsec.conf -------------------------- version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none plutodebug="all" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes conn i386-i386 left=9.3.190.198 right=9.3.190.196 ikev2=insist phase2=esp phase2alg=aes128-null authby=secret auto=add -------------------------- To reproduce: -------------------------- [root@eal5 ~]# ipsec auto --verbose --up i386-i386 000 initiating all conns with alias='i386-i386' 021 no connection named "i386-i386" -------------------------- The connection is invalid because the null authentication algorithm for esp isn't found. ---Security Component Data--- Userspace tool common name: openswan The userspace tool has the following bit modes: 32 Userspace rpm: openswan-2.6.11-1.el5 =Comment: #1================================================= TYLER C. HICKS <tchicks.com> - 2008-04-17 15:06 EDT /var/log/secure showing failure to use null auth alg =Comment: #2================================================= TYLER C. HICKS <tchicks.com> - 2008-04-17 15:09 EDT RFC 4305 states that a NULL Auth Alg is required for compliance. Also important is that we don't allow a user to use NULL for Encr and Auth on the same connection. ---------------------- 3.1.1. ESP Encryption and Authentication Algorithms These tables list encryption and authentication algorithms for the IPsec Encapsulating Security Payload protocol. <snip> Requirement Authentication Algorithm (notes) ----------- ------------------------ MUST HMAC-SHA1-96 [RFC2404] MUST NULL (1) SHOULD+ AES-XCBC-MAC-96 [RFC3566] MAY HMAC-MD5-96 [RFC2403] (2) Notes: (1) Since ESP encryption and authentication are optional, support for the two "NULL" algorithms is required to maintain consistency with the way these services are negotiated. Note that while authentication and encryption can each be "NULL", they MUST NOT both be "NULL". ----------------------
Created attachment 302806 [details] /var/log/secure showing failure to use null auth alg
Created attachment 303965 [details] Add conf-only ESP support This patch adds support for confidentiality-only ESP by recognising the string "null" in ESP algorithm specifications. Only tested between Openswan and itself as Strongswan doesn't seem to support this either (and I don't have a racoon close by to test :)
------- Comment From tchicks.com 2008-04-30 17:13 EDT------- Red Hat - Can we get confirmation that a fix for this bug is targeted for the zstream release? Thanks!
yes, herbert's patch see comment#5 is targeted for zstream.
This patch will be in openswan 2.6.13
2.6.14rc7-1 was built to address the problem being reported.
------- Comment From tchicks.com 2008-06-05 14:30 EDT------- I have verified this bug fix between i386 and ppc using openswan-2.6.14rc7, built from source from openswan.org. I can't find the RPM that Red Hat built.
------- Comment From tchicks.com 2008-06-18 18:25 EDT------- Changing status to FIXEDAWAITINGTEST on IBM's side. ------- Comment From tchicks.com 2008-06-18 18:25 EDT------- Changing status to TESTED on IBM's side. ------- Comment From tchicks.com 2008-06-18 18:25 EDT------- Changing status to ACCEPTED on IBM's side. ------- Comment From tchicks.com 2008-06-18 18:26 EDT------- Changing status to CLOSED on IBM's side. I verified the official openswan-2.6.14-1.el5_2.1 rpm between i386 and ppc.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1350.html