Bug 524189 - the config parser ignored characters '-96' of ike=3des-sha1-96-modp1024
Summary: the config parser ignored characters '-96' of ike=3des-sha1-96-modp1024
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan
Version: 5.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Avesh Agarwal
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-18 10:00 UTC by Osier Yang
Modified: 2014-03-27 01:01 UTC (History)
8 users (show)

Fixed In Version: openswan-2.6.21-7.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-13 09:23:39 UTC


Attachments (Terms of Use)

Description Osier Yang 2009-09-18 10:00:06 UTC
Description of problem:
the config parser ignored characters '-96' of ike=3des-sha1-96-modp1024,  It should be a bug.

Version-Release number of selected component (if applicable):
OS:  rhel5.4
openswan:  openswan-2.6.21-5.el5 

How reproducible:


Steps to Reproduce:
1.   config ipsec.conf at the endpoints of ipsec connection as following:
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        protostack=netkey
        interfaces=%defaultroute
        plutostderrlog=/var/log/pluto.log
        
conn %default
        ikelifetime="60m"
        keylife="20m"
        rekeymargin="3m"
        keyingtries=1
        phase2=esp
        ike=3des-sha1-96-modp1024
        phase2alg=3des-sha1-96
        authby=secret
        ikev2=yes
        rekey=yes
        keyexchange=ike
        
conn host-host
        connaddrfamily=ipv4
        left=192.168.122.157
        right=192.168.122.185
        type=tunnel
        compress=no
        auto=add

2.  start ipsec service on each endpoint of ipsec connection
# service ipsec restart

3.  setup the ipsec connection
# ipsec auto --up host-host
  
Actual results:
[root@localhost etc]# ipsec auto --up host-host
133 "host-host" #1: STATE_PARENT_I1: initiate
133 "host-host" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
134 "host-host" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1 prf=oakley_sha group=modp1024}
004 "host-host" #2: STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0xbeea1ac3 <0xe000cbae xfrm=3DES_192-HMAC_SHA1 NATOA=none NATD=none DPD=none}


Expected results:
the output text when setup the ipsec connection should contains characters '-96'

Additional info:
have get source code of openswan-2.6.23 on www.openswan.org,  then complied and installed it,  could get the same "actual results"

Comment 1 Osier Yang 2009-09-18 10:05:32 UTC
if config the ipsec.conf on endpoint A like this:
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        protostack=netkey
        interfaces=%defaultroute
        plutostderrlog=/var/log/pluto.log

conn %default
        ikelifetime="60m"
        keylife="20m"
        rekeymargin="3m"
        keyingtries=1
        phase2=esp
        ike=3des-sha1-96-modp1024
        phase2alg=3des-sha1-96
        authby=secret
        ikev2=yes
        rekey=yes
        keyexchange=ike

conn host-host
        connaddrfamily=ipv4
        left=192.168.122.157
        right=192.168.122.185
        type=tunnel
        compress=no
        auto=add

BUT on B like this:
config setup
        crlcheckinterval="180"
        strictcrlpolicy=no
        protostack=netkey
        interfaces=%defaultroute
        plutostderrlog=/var/log/pluto.log

conn %default
        ikelifetime="60m"
        keylife="20m"
        rekeymargin="3m"
        keyingtries=1
        phase2=esp
        ike=3des-sha1-modp1024
        phase2alg=3des-sha1
        authby=secret
        ikev2=yes
        rekey=yes
        keyexchange=ike

conn host-host
        connaddrfamily=ipv4
        left=192.168.122.157
        right=192.168.122.185
        type=tunnel
        compress=no
        auto=add

the connection "host-host" could be setup too.

Comment 2 Osier Yang 2009-09-23 02:41:38 UTC
have reported a same bug on bugs.openswan.org, the link: https://gsoc.xelerance.com/issues/1062

Comment 3 Avesh Agarwal 2009-12-23 22:11:17 UTC
It is already fixed in 5.4/5.5 with openswan-2.6.21 and was fixed with 524191.


Note You need to log in before you can comment on or make changes to this bug.