Red Hat Bugzilla – Bug 652733
2 tunnels (IPv4 and IPv6) do not work together using certs/keys
Last modified: 2012-11-19 07:59:55 EST
Description of problem: Only one tunnel gets establised, even though both are configured to say auto=start. And, running ipsec auto --up "second_tunnel_id" causes the first tunnel to go down and the second tunnel gets established. Problem, is we need both tunnels established and working at the same time. The same 2 tunnels work simultaneously when using PSK. Note that both tunnels are using the same host certs/keys, in other words each end has a single host cert/key along with the cacert imported into the nss db. Version-Release number of selected component (if applicable): openswan 2.6.21 2.6.18-194.11.3.el5 #1 SMP Mon Aug 23 15:51:38 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux How reproducible: Easily reproducible, every time. Steps to Reproduce: Configuration Host A: cb4-0-0-0:/etc-# cat ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes #virtual_private= #oe=off # Enable this if you see "failed to find any available worker" #nhelpers=0 plutodebug=all #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/ipsec-default.conf include /etc/ipsec.d/ipsec-ag-v6.conf include /etc/ipsec.d/ipsec-ag-172.12.128.105.conf cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.105.conf # /etc/ipsec-ag01.conf - IPsec conn file for AG01 # conn ag-172.12.128.105 ### left host (public-network address) left=172.12.128.104 leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC@alu.com" ### right host right=172.12.128.105 rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG@alu.com" #rightnexthop=10.254.1.1 rightcert=ag cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.105.secrets 172.12.128.104 172.12.128.105 : RSA ag "" cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-v6.conf # /etc/ipsec-ag01.conf - IPsec conn file for AG01 # conn ag-v6 ### left host (public-network address) left=2001:db7::7 leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC@alu.com" ### right host right=2001:db7::5 rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG@alu.com" #rightnexthop=10.254.1.1 rightcert=ag cb4-0-0-0:/etc/ipsec.d-# cat ipsec-ag-v6.secrets 2001:db7::7 2001:db7::5 : RSA ag "" cb4-0-0-0:/etc/ipsec.d-# cat *default* # # Template file for default connection for Emergency Alert Gateways # conn %default type=tunnel ### left host (public-network address) leftrsasigkey=%cert leftsendcert=always ### right host (public-network address) rightrsasigkey=%cert rightsendcert=always ### algs keyexchange=ike auth=esp authby=rsasig ike=aes128-sha1-modp2048 esp=aes128-sha2_256 pfs=yes ### automatic rekeying params ikelifetime=1440m keylife=480m rekeymargin=20m rekey=yes keyingtries=%forever #dpddelay=500000 #dpdtimeout=600000 auto=start cb4-0-0-0:/etc/ipsec.d-# cat nss.certs @172.12.128.105: RSA "ag" "" @2001:db7::5: RSA "ag" "" cb4-0-0-0:/etc/ipsec.d-# ifconfig bond1 bond1 Link encap:Ethernet HWaddr 00:26:55:DD:17:39 inet6 addr: 2001:db7::5/64 Scope:Global inet6 addr: fe80::226:55ff:fedd:1739/64 Scope:Link UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 RX packets:222817 errors:0 dropped:0 overruns:0 frame:0 TX packets:187365 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:37170781 (35.4 MiB) TX bytes:24658476 (23.5 MiB) cb4-0-0-0:/etc/ipsec.d-# ifconfig bond1:alrt bond1:alrt Link encap:Ethernet HWaddr 00:26:55:DD:17:39 inet addr:172.12.128.105 Bcast:172.12.128.111 Mask:255.255.255.240 UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1 CONFIGURATION ON HOST B: cb3-0-0-0:/etc-# cat ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes #virtual_private= #oe=off # Enable this if you see "failed to find any available worker" #nhelpers=0 plutodebug=all #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/ipsec-default.conf include /etc/ipsec.d/ipsec-ag-2001:db7::7.conf include /etc/ipsec.d/ipsec-ag-172.12.128.104.conf cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.104.conf # # IPsec configuration file for Emergency Alert Gateways connection # conn ag-172.12.128.104 ### left host (public-network address) left=172.12.128.104 leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC@alu.com" #leftnexthop=172.12.128.109 leftcert=bmc ### right host (public-network address) right=172.12.128.105 rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG@alu.com" cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-172.12.128.104.secrets 172.12.128.104 172.12.128.105 : RSA bmc "" cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-2001:db7::7.conf # # IPsec configuration file for Emergency Alert Gateways connection # conn ag-2001:db7::7 ### left host (public-network address) left=2001:db7::7 leftid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC@alu.com" #leftnexthop=172.12.128.109 leftcert=bmc ### right host (public-network address) right=2001:db7::5 rightid="C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG@alu.com" cb3-0-0-0:/etc/ipsec.d-# cat ipsec-ag-2001:db7::7.secrets 2001:db7::7 2001:db7::5 : RSA bmc "" cb3-0-0-0:/etc/ipsec.d-# cat *default* # # Template file for default connection for Emergency Alert Gateways # conn %default type=tunnel ### left host (public-network address) leftrsasigkey=%cert leftsendcert=always ### right host (public-network address) rightrsasigkey=%cert rightsendcert=always ### algs keyexchange=ike auth=esp authby=rsasig ike=aes128-sha1-modp2048 esp=aes128-sha2_256 pfs=yes ### automatic rekeying params ikelifetime=1440m keylife=480m rekeymargin=20m rekey=yes keyingtries=%forever #dpddelay=500000 #dpdtimeout=600000 auto=start Actual results: Contents of /var/log/secure from Host B attached. Expected results: Additional info:
Created attachment 464074 [details] /var/log/secure log
I have been able to reproduce this exact issue with just IPv4 tunnels. The only difference being that one end is running openswan 2.6.21 and using nss cert management and the other end is running openswan 2.6.14 and is running the old style cert management. However the issue is exactly the same, in which only one tunnel can be added and up'd. If you define 2 tunnels in the configuration files, then ipsec auto shows 2 tunnels added but only one is show as such: 000 "ag-10.155.199.101": 10.155.155.78<10.155.155.78>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC@alu.com,+S=C]---10.155.155.5...10.155.199.101<10.155.199.101>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG@alu.com,+S=C]; unrouted; eroute owner: #0 000 "ag-10.155.199.101": myip=unset; hisip=unset; mycert=bmc; 000 "ag-10.155.199.101": CAs: 'C=US, ST=OH, O=ALU, OU=MSG, CN=CA, E=CA@alu.com'...'%any' 000 "ag-10.155.199.101": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 000 "ag-10.155.199.101": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 32,32; interface: bond1:alrt; 000 "ag-10.155.199.101": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "ag-10.155.199.101": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP2048(14); flags=-strict 000 "ag-10.155.199.101": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-14, 000 "ag-10.155.199.101": ESP algorithms wanted: AES(12)_128-SHA2_256(5); flags=-strict 000 "ag-10.155.199.101": ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 "ag-10.155.199.102": 10.155.155.78<10.155.155.78>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=BMC, E=BMC@alu.com,+S=C]---10.155.155.5...10.155.199.102<10.155.199.102>[C=US, ST=OH, L=COLUMBUS, O=ALU, OU=MSG, CN=AG, E=AG@alu.com,+S=C]; erouted; eroute owner: #8 000 "ag-10.155.199.102": myip=unset; hisip=unset; mycert=bmc; 000 "ag-10.155.199.102": CAs: 'C=US, ST=OH, O=ALU, OU=MSG, CN=CA, E=CA@alu.com'...'%any' 000 "ag-10.155.199.102": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 0 000 "ag-10.155.199.102": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 32,32; interface: bond1:alrt; 000 "ag-10.155.199.102": newest ISAKMP SA: #7; newest IPsec SA: #8; 000 "ag-10.155.199.102": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP2048(14); flags=-strict 000 "ag-10.155.199.102": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-14, 000 "ag-10.155.199.102": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048 000 "ag-10.155.199.102": ESP algorithms wanted: AES(12)_128-SHA2_256(5); flags=-strict 000 "ag-10.155.199.102": ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256 000 "ag-10.155.199.102": ESP algorithm newest: AES_128-HMAC_SHA2_256; pfsgroup=<Phase1> 000 000 #8: "ag-10.155.199.102":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27719s; newest IPSEC; eroute owner; isakmp#7; idle; import:admin initiate 000 #8: "ag-10.155.199.102" esp.b14902a1@10.155.199.102 esp.a3a67820@10.155.155.78 tun.0@10.155.199.102 tun.0@10.155.155.78 ref=0 refhim=4294901761 000 #7: "ag-10.155.199.102":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85328s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000
They need to use the following git commit. http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.git/.git;a=commit;h=faf0b309e2b3b8a937a7a9f4485dc828c374ccac If you want I can create a patch too for this, so that you can test. This fix first appeared in 2.6.23, but they are are using 2.6.21. This should solve the issue of "differs from size specified in ISAKMP HDR". Let me know if it helps.
I've put a set of scratch-build packages together with this patch. The build is tagged/branched (private-sf387574-branch) in case we need it again later. These are built against 5.6-Z-test. I've not tested them myself yet but if anybody else is interested in testing, here's the links: (i386 and x86_64 flavors) https://brewweb.devel.redhat.com/taskinfo?taskID=3087271 The patch deals with making sure the buffer is initialized (zeroed) before using it and should address the unexpected header size warnings spewing in the logs. Thanks for finding and pointing out the upstream patch Avesh. I'm curious whether it might help with the delay in bringing the tunnels up as well. --vince
*** Bug 659835 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0211.html