Bug 447419 - openswan ships with OE enabled by accident
Summary: openswan ships with OE enabled by accident
Alias: None
Product: Fedora
Classification: Fedora
Component: openswan
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steve Conklin
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-05-19 20:59 UTC by Paul Wouters
Modified: 2009-01-23 16:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-01-23 16:02:58 UTC
Type: ---

Attachments (Terms of Use)

Description Paul Wouters 2008-05-19 20:59:31 UTC
Description of problem:
openswan 2.6.09-2.fc9 ships with Opportunistic Encryption (OE) enabled while
using the netkey(xfrm) stack. This is causing connection failures

Version-Release number of selected component (if applicable):

Additional info:

Add oe=off to the section "config setup" in /etc/ipsec.conf

Comment 1 Paul Wouters 2008-05-19 21:00:11 UTC
note that in openswan-2.4.x the oe= option did not exist, and OE was disabled by
including /etc/ipsec.d/examples/no_oe.conf.

Comment 2 Paul Wouters 2008-05-20 04:12:07 UTC
note: openswan-2.6.9 has broken IKEv2 code. It is incompatable with other IKEv2
daemons and with openswan-2.6.12+. Please use 2.6.13 (or 2.6.14 when available)

patch4 also breaks dynamic clents using left=%defaultroute. please remove that
broken patch.

Comment 3 Paul Wouters 2008-10-09 21:01:11 UTC
- I see that oe=off is still not enabled in the ipsec.conf :(

- There is no virtual_private= defined, so it won't work as client behind NAT

- Many fixes between 2.6.14 - 2.6.18, should really update the entire package. See CHANGES

- openswan-2.6-intwarning.patch breaks certain setups and should really NOT be applied to the package anymore.

- why not Buildrequires: xmlto so we can build up to date man pages from xml?
  openswan-2.6-noxmlto.patch should go away IMHO

Comment 4 Paul Wouters 2008-10-09 21:33:25 UTC
I just checked openswan-2.6.18-1.fc10

- openswan-2.6.16-initscript-correction.patch will cause breaking with NFS mounts via IPsec. (obviously /usr is a problem, but others don't have to be)

- oe=off should still be added

- virtual_private= with RFC1918 space should still be added (see man ipsec.conf)

- openswan-2.6-intwarning.patch is still an urgent problem

Comment 5 Paul Wouters 2008-10-09 21:39:15 UTC
- Why compile with USE_LWRES=false ? It would be better to BuildRequire: bind-devel. We haven't been testing with USE_LWRES=false for about a year now, as it is the obsolete resolving method (we need lwres for non-blocking dns helper threads and for DNSSEC)

Comment 6 Paul Wouters 2008-10-09 22:18:07 UTC
- License: GPLv2+

That's wrong. The license is v2, not v2+
It is also partially BSD license for some crypto code.

Comment 7 Paul Wouters 2008-10-09 22:21:26 UTC
- rm -rf programs/readwriteconf

why is that done? readwriteconf is only used when running 'make check' ?

Comment 8 Paul Wouters 2009-01-23 16:02:58 UTC
original bug is closed, the rest is just chatter that does not really matter anymore.

Note You need to log in before you can comment on or make changes to this bug.