Bug 468353 - [TAHI] IPSec Test, select SPD failure for ICMP type
[TAHI] IPSec Test, select SPD failure for ICMP type
Status: CLOSED DUPLICATE of bug 363521
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-24 05:54 EDT by wang jiabo
Modified: 2008-10-29 03:34 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 03:34:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wang jiabo 2008-10-24 05:54:57 EDT
Description of problem:
when ESP=3DES-CBC and HMAC-SHA1, IPSec is failed to select SPD for ICMP type 
see RFC4301 section 4.4.1.1, 4.4.1.3 C and section 6 

Version-Release number of selected component (if applicable):
ipsec-tools-0.6.5.13.el5

How reproducible:
everytime

Steps to Reproduce:
1.
2.
3.
  
Actual results:
when no-error messages in ICMP, ICMP messages did not be accounted for 
using SPD entries

Expected results:
ICMP messages must be accounted for using SPD entries

Additional info:
tcpdump did not get any packets
Comment 1 Tomas Mraz 2008-10-24 06:03:23 EDT
Could you please give detailed instructions on how to reproduce the problem?

I am also afraid that I do not quite understand the meaning of some phrases of the bug report due to bad translation to english.
Comment 2 Lawrence Lim 2008-10-24 14:29:29 EDT
llim->jiabwang: prolly some specific example would help.
Comment 5 wang jiabo 2008-10-28 22:16:42 EDT
I use the TAHI cases to test the IPsec between 2 hosts on transport mode(please see the following info.), one is NUT(RHEL5.3),another is TN(FreeBSD7.0)






16:21:36	Start Capturing Packets (Link0)

	Target: Set SAD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 unique=10000
16:21:36 	vRemote(ipsecSetSAD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSAD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 unique=10000 ''

Connected
prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) ''
rLogin: Wait for login prompt (0.2 sec)...
rLogin: Never got prompt; try again
rLogin: Wait for login prompt (50 sec)...

[root@ipv6test2 ~]# rLogin: Got command prompt
rLogin: Got command prompt
_rCommand: Try to get command prompt (0.2 sec.)
_rCommand: (\$|#) 
_rCommand: command prompt...
_rCommand: Try to get command prompt (30 sec.)
_rCommand: (\$|#) 

[root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c'' command
/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6re adylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c
3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e 
	esp mode=transport spi=4096(0x00001000) reqid=10000(0x00002710)
	E: 3des-cbc  69707636 72656164 796c6f67 6f336465 73636263 696e3031
	A: hmac-sha1  69707636 72656164 796c6f67 73686131 696e3031
	seq=0x00000000 replay=0 flags=0x00000000 state=mature 
	created: Oct 29 00:19:15 2008	current: Oct 29 00:19:15 2008
	diff: 0(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=3440 refcnt=0
[root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c
rCommand: Try to get command prompt (0.2 sec)
rCommand: CmdOutput=``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6re adylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c
3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e 
	esp mode=transport spi=4096(0x00001000) reqid=10000(0x00002710)
	E: 3des-cbc  69707636 72656164 796c6f67 6f336465 73636263 696e3031
	A: hmac-sha1  69707636 72656164 796c6f67 73686131 696e3031
	seq=0x00000000 replay=0 flags=0x00000000 state=mature 
	created: Oct 29 00:19:15 2008	current: Oct 29 00:19:15 2008
	diff: 0(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=3440 refcnt=0
[root@ipv6test2 ~]''
echo $?
0
[root@ipv6terCommand: exit status: 0
~
[EOT]


	Target: Set SPD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=icmp6 icmp6_type=128 icmp6_code=0 direction=in protocol=esp-auth mode=transport level=unique unique=10000
16:21:41 	vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=icmp6 icmp6_type=128 icmp6_code=0 direction=in protocol=esp-auth mode=transport level=unique unique=10000 ''

Connected
upperspec must be one of any|tcp|udp
ipsecSetSPD.rmt [parameters]
parameters:
src=source address
dst=destination address
sport=source port (default:any)
dport=destination port (default:any)
upperspec={any|tcp|udp} (default:any)
direction={in|out}
protocol={ah|esp|ah-esp}
mode={transport|tunnel}
policy={ipsec|none|discard} (default:ipsec)
tsrc=tunnel entry address
tdst=tunnel exit address
unique=unique ID for MIPv6 configuration
~
[EOT]


	Cannot Set SPD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=icmp6 icmp6_type=128 icmp6_code=0 direction=in protocol=esp-auth mode=transport level=unique unique=10000
NG
16:21:41	End
Comment 6 Tomas Mraz 2008-10-29 03:34:42 EDT
This is a duplicate of already reported problem. The problem is in the test suite as the ipsecSetSPD.rmt is part of the test suite and not part of the ipsec-tools package.

*** This bug has been marked as a duplicate of bug 363521 ***

Note You need to log in before you can comment on or make changes to this bug.