Bug 683604 - Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host behind the same security gateway.
Summary: Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan
Version: 6.1
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Avesh Agarwal
QA Contact: Aleš Mareček
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-09 20:29 UTC by Avesh Agarwal
Modified: 2011-05-19 13:55 UTC (History)
3 users (show)

Fixed In Version: openswan-2_6_32-4_el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:55:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
conf file (1.49 KB, application/octet-stream)
2011-03-09 20:32 UTC, Avesh Agarwal 		no flags Details
ipsec barf output (42.49 KB, text/plain)
2011-03-09 20:33 UTC, Avesh Agarwal 		no flags Details
logs of the test (84.15 KB, text/x-log)
2011-03-09 20:33 UTC, Avesh Agarwal 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0652 0 normal SHIPPED_LIVE openswan bug fix and enhancement update 2011-05-18 17:55:32 UTC

Description Avesh Agarwal 2011-03-09 20:29:28 UTC 
Description of problem:
When two pairs of IKEv2 SAs are built,  the first pair is negotiated finebetween the machine A and B with Traffic Selectors for Host1.  However, when the second pair is negotiated betweem A and B, except this time the Traffic Selectors are for Host2 behind B, it does not succeed.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Avesh Agarwal 2011-03-09 20:30:10 UTC 
Attached logs provided by UNH people.
Comment 2 Avesh Agarwal 2011-03-09 20:32:29 UTC 
Created attachment 483299 [details]
conf file
Comment 3 Avesh Agarwal 2011-03-09 20:33:04 UTC 
Created attachment 483300 [details]
ipsec barf output
Comment 4 Avesh Agarwal 2011-03-09 20:33:38 UTC 
Created attachment 483302 [details]
logs of the test
Comment 8 Avesh Agarwal 2011-03-17 17:04:01 UTC 
Testing instructions for QE:

1. Configure IPsec nodes as follows:

IPsec node 1 (*.conf):
conn test1
        auto=add
        authby=secret
        left=192.168.122.181
        right=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	rightsubnet=192.168.122.165/32
        leftsubnet=192.168.122.183/32
        ikev2=insist

conn test2
        auto=add
        authby=secret
        left=192.168.122.181
        right=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	rightsubnet=192.168.122.165/32
        leftsubnet=192.168.122.182/32
        ikev2=insist


IPsec node 2 (*.conf):
conn test1
        auto=add
        authby=secret
        right=192.168.122.181
        left=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	leftsubnet=192.168.122.165/32
        rightsubnet=192.168.122.183/32
        ikev2=insist

conn test2
        auto=add
        authby=secret
        right=192.168.122.181
        left=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	leftsubnet=192.168.122.165/32
        rightsubnet=192.168.122.182/32
        ikev2=insist

both nodes (*.secrets):
: PSK "whatever"

2. Establish connections test1 and test2 as "ipsec auto --up test1/test2"

3. In failed case, the 2nd connection wont go through. And in success case, both connections will go through.

4. connection can be checked by "ip xfrm policy/state" commands.
Comment 9 IBM Bug Proxy 2011-03-18 21:41:27 UTC 
------- Comment From spieth.com 2011-03-17 20:02 EDT-------
---Problem Description---
Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host behind the same security gateway
Contact Information = spieth.com

---uname output---
na

Machine Type = na

---Debugger---
A debugger is not configured

---Steps to Reproduce---
na

---All Component Data---
Comment 11 errata-xmlrpc 2011-05-19 13:55:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0652.html
Note You need to log in before you can comment on or make changes to this bug.