Bug 447419 - openswan ships with OE enabled by accident
openswan ships with OE enabled by accident
Product: Fedora
Classification: Fedora
Component: openswan (Show other bugs)
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Steve Conklin
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-19 16:59 EDT by Paul Wouters
Modified: 2009-01-23 11:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-23 11:02:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2008-05-19 16:59:31 EDT
Description of problem:
openswan 2.6.09-2.fc9 ships with Opportunistic Encryption (OE) enabled while
using the netkey(xfrm) stack. This is causing connection failures

Version-Release number of selected component (if applicable):

Additional info:

Add oe=off to the section "config setup" in /etc/ipsec.conf
Comment 1 Paul Wouters 2008-05-19 17:00:11 EDT
note that in openswan-2.4.x the oe= option did not exist, and OE was disabled by
including /etc/ipsec.d/examples/no_oe.conf.
Comment 2 Paul Wouters 2008-05-20 00:12:07 EDT
note: openswan-2.6.9 has broken IKEv2 code. It is incompatable with other IKEv2
daemons and with openswan-2.6.12+. Please use 2.6.13 (or 2.6.14 when available)

patch4 also breaks dynamic clents using left=%defaultroute. please remove that
broken patch.
Comment 3 Paul Wouters 2008-10-09 17:01:11 EDT
- I see that oe=off is still not enabled in the ipsec.conf :(

- There is no virtual_private= defined, so it won't work as client behind NAT

- Many fixes between 2.6.14 - 2.6.18, should really update the entire package. See CHANGES

- openswan-2.6-intwarning.patch breaks certain setups and should really NOT be applied to the package anymore.

- why not Buildrequires: xmlto so we can build up to date man pages from xml?
  openswan-2.6-noxmlto.patch should go away IMHO
Comment 4 Paul Wouters 2008-10-09 17:33:25 EDT
I just checked openswan-2.6.18-1.fc10

- openswan-2.6.16-initscript-correction.patch will cause breaking with NFS mounts via IPsec. (obviously /usr is a problem, but others don't have to be)

- oe=off should still be added

- virtual_private= with RFC1918 space should still be added (see man ipsec.conf)

- openswan-2.6-intwarning.patch is still an urgent problem
Comment 5 Paul Wouters 2008-10-09 17:39:15 EDT
- Why compile with USE_LWRES=false ? It would be better to BuildRequire: bind-devel. We haven't been testing with USE_LWRES=false for about a year now, as it is the obsolete resolving method (we need lwres for non-blocking dns helper threads and for DNSSEC)
Comment 6 Paul Wouters 2008-10-09 18:18:07 EDT
- License: GPLv2+

That's wrong. The license is v2, not v2+
It is also partially BSD license for some crypto code.
Comment 7 Paul Wouters 2008-10-09 18:21:26 EDT
- rm -rf programs/readwriteconf

why is that done? readwriteconf is only used when running 'make check' ?
Comment 8 Paul Wouters 2009-01-23 11:02:58 EST
original bug is closed, the rest is just chatter that does not really matter anymore.

Note You need to log in before you can comment on or make changes to this bug.