Description of problem: when ESP=3DES-CBC and HMAC-SHA1, IPSec is failed to select SPD for ICMP type see RFC4301 section 4.4.1.1, 4.4.1.3 C and section 6 Version-Release number of selected component (if applicable): ipsec-tools-0.6.5.13.el5 How reproducible: everytime Steps to Reproduce: 1. 2. 3. Actual results: when no-error messages in ICMP, ICMP messages did not be accounted for using SPD entries Expected results: ICMP messages must be accounted for using SPD entries Additional info: tcpdump did not get any packets
Could you please give detailed instructions on how to reproduce the problem? I am also afraid that I do not quite understand the meaning of some phrases of the bug report due to bad translation to english.
llim->jiabwang: prolly some specific example would help.
I use the TAHI cases to test the IPsec between 2 hosts on transport mode(please see the following info.), one is NUT(RHEL5.3),another is TN(FreeBSD7.0) 16:21:36 Start Capturing Packets (Link0) Target: Set SAD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 unique=10000 16:21:36 vRemote(ipsecSetSAD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSAD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" spi=0x1000 mode=transport protocol=esp ealgo=3des-cbc ealgokey=ipv6readylogo3descbcin01 eauth=hmac-sha1 eauthkey=ipv6readylogsha1in01 unique=10000 '' Connected prompt_user: ``login: '', prompt_password: ``Password: '', prompt_command: ``(\$|#) '' rLogin: Wait for login prompt (0.2 sec)... rLogin: Never got prompt; try again rLogin: Wait for login prompt (50 sec)... [root@ipv6test2 ~]# rLogin: Got command prompt rLogin: Got command prompt _rCommand: Try to get command prompt (0.2 sec.) _rCommand: (\$|#) _rCommand: command prompt... _rCommand: Try to get command prompt (30 sec.) _rCommand: (\$|#) [root@ipv6test2 ~]# _rCommand: Do ``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c'' command /bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6re adylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c 3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp mode=transport spi=4096(0x00001000) reqid=10000(0x00002710) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 696e3031 A: hmac-sha1 69707636 72656164 796c6f67 73686131 696e3031 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:19:15 2008 current: Oct 29 00:19:15 2008 diff: 0(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3440 refcnt=0 [root@ipv6test2 ~]# sendMessagesSync: never got /bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c rCommand: Try to get command prompt (0.2 sec) rCommand: CmdOutput=``/bin/echo 'add 3ffe:501:ffff:0001:0000:0000:0000:0001 3ffe:5 01:ffff:0:21d:fff:fe0f:be4e esp 0x1000 -m transport -u 10000 -E 3des-cbc "ipv6re adylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; dump;' | setkey -c 3ffe:501:ffff:1::1 3ffe:501:ffff:0:21d:fff:fe0f:be4e esp mode=transport spi=4096(0x00001000) reqid=10000(0x00002710) E: 3des-cbc 69707636 72656164 796c6f67 6f336465 73636263 696e3031 A: hmac-sha1 69707636 72656164 796c6f67 73686131 696e3031 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 29 00:19:15 2008 current: Oct 29 00:19:15 2008 diff: 0(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=3440 refcnt=0 [root@ipv6test2 ~]'' echo $? 0 [root@ipv6terCommand: exit status: 0 ~ [EOT] Target: Set SPD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=icmp6 icmp6_type=128 icmp6_code=0 direction=in protocol=esp-auth mode=transport level=unique unique=10000 16:21:41 vRemote(ipsecSetSPD.rmt) ``/usr/local/v6eval//bin/rhel51//ipsecSetSPD.rmt -t rhel51 -u root -p redhat -d cuad0 -o 1 src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=icmp6 icmp6_type=128 icmp6_code=0 direction=in protocol=esp-auth mode=transport level=unique unique=10000 '' Connected upperspec must be one of any|tcp|udp ipsecSetSPD.rmt [parameters] parameters: src=source address dst=destination address sport=source port (default:any) dport=destination port (default:any) upperspec={any|tcp|udp} (default:any) direction={in|out} protocol={ah|esp|ah-esp} mode={transport|tunnel} policy={ipsec|none|discard} (default:ipsec) tsrc=tunnel entry address tdst=tunnel exit address unique=unique ID for MIPv6 configuration ~ [EOT] Cannot Set SPD entries: src="3ffe:501:ffff:0001:0000:0000:0000:0001" dst="3ffe:501:ffff:0:21d:fff:fe0f:be4e" upperspec=icmp6 icmp6_type=128 icmp6_code=0 direction=in protocol=esp-auth mode=transport level=unique unique=10000 NG 16:21:41 End
This is a duplicate of already reported problem. The problem is in the test suite as the ipsecSetSPD.rmt is part of the test suite and not part of the ipsec-tools package. *** This bug has been marked as a duplicate of bug 363521 ***