Hide Forgot
Description of problem: Openswan does not correctly process Traffic Selectors for ICMPv6 when a type and code is specified according to RFC 4301 Section 4.4.1.1. Version-Release number of selected component (if applicable): Openswan Version 2.6.24 How reproducible: Always Steps to Reproduce: 1. Send IKE_AUTH Request to Openswan with Traffic selector specifying ICMPv6 and 8000 or 8100 in the start port and end port. Selectors will not be properly applied, and the IKE_AUTH Response will have ANY/ANY specified. 2. 3. Actual results: Expected results: Additional info:
Testing instructions for QE: 1. I would suggest to look at the following paragraph from RFC 4306 http://tools.ietf.org/html/rfc4306 for better understanding. "Start Port (2 octets) - Value specifying the smallest port number allowed by this Traffic Selector. For protocols for which port is undefined, or if all ports are allowed, this field MUST be zero. For the ICMP protocol, the two one-octet fields Type and Code are treated as a single 16-bit integer (with Type in the most significant eight bits and Code in the least significant eight bits) port number for the purposes of filtering based on this field. " 2. Configure IPsec nodes as follows: IPsec node 1 (*.conf): conn test1 auto=add authby=secret left=192.168.122.181 right=192.168.122.165 ike=3des-sha1 esp=3des-sha1 leftprotoport=icmp #(icmp echo reply type 0 code 0) rightprotoport=icmp/2048 #(icmp echo request type 0 code 0) ikev2=insist IPsec node 2 (*.conf): conn test1 auto=add authby=secret right=192.168.122.181 left=192.168.122.165 ike=3des-sha1 esp=3des-sha1 rightprotoport=icmp #(icmp echo reply type 0 code 0) leftprotoport=icmp/2048 #(icmp echo request type 0 code 0) ikev2=insist both nodes (*.secrets): : PSK "whatever" 3. Establish connection test1 as "ipsec auto --up test1" 4. check output of "ip xfrm policy" , and it will show wrong type/code values in failed case, and right type and code values in success case.
------- Comment From spieth.com 2011-03-17 19:55 EDT------- ---Problem Description--- Reverse Mirror of RIT681974 - Openswan's current IKEv2 implementation does not correctly process ICMPv6 Selectors for Type and Code Contact Information = spieth.com ---uname output--- na Machine Type = na ---Debugger--- A debugger is not configured ---Steps to Reproduce--- na ---All Component Data---
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0652.html