Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 683604

Summary: Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host behind the same security gateway.
Product: Red Hat Enterprise Linux 6 Reporter: Avesh Agarwal <avagarwa>
Component: openswanAssignee: Avesh Agarwal <avagarwa>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: amarecek, iboverma, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openswan-2_6_32-4_el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:55:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
conf file
none
ipsec barf output
none
logs of the test none

Description Avesh Agarwal 2011-03-09 20:29:28 UTC 
Description of problem:
When two pairs of IKEv2 SAs are built,  the first pair is negotiated finebetween the machine A and B with Traffic Selectors for Host1.  However, when the second pair is negotiated betweem A and B, except this time the Traffic Selectors are for Host2 behind B, it does not succeed.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Avesh Agarwal 2011-03-09 20:30:10 UTC 
Attached logs provided by UNH people.
Comment 2 Avesh Agarwal 2011-03-09 20:32:29 UTC 
Created attachment 483299 [details]
conf file
Comment 3 Avesh Agarwal 2011-03-09 20:33:04 UTC 
Created attachment 483300 [details]
ipsec barf output
Comment 4 Avesh Agarwal 2011-03-09 20:33:38 UTC 
Created attachment 483302 [details]
logs of the test
Comment 8 Avesh Agarwal 2011-03-17 17:04:01 UTC 
Testing instructions for QE:

1. Configure IPsec nodes as follows:

IPsec node 1 (*.conf):
conn test1
        auto=add
        authby=secret
        left=192.168.122.181
        right=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	rightsubnet=192.168.122.165/32
        leftsubnet=192.168.122.183/32
        ikev2=insist

conn test2
        auto=add
        authby=secret
        left=192.168.122.181
        right=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	rightsubnet=192.168.122.165/32
        leftsubnet=192.168.122.182/32
        ikev2=insist


IPsec node 2 (*.conf):
conn test1
        auto=add
        authby=secret
        right=192.168.122.181
        left=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	leftsubnet=192.168.122.165/32
        rightsubnet=192.168.122.183/32
        ikev2=insist

conn test2
        auto=add
        authby=secret
        right=192.168.122.181
        left=192.168.122.165
        ike=3des-sha1
        esp=3des-sha1
	leftsubnet=192.168.122.165/32
        rightsubnet=192.168.122.182/32
        ikev2=insist

both nodes (*.secrets):
: PSK "whatever"

2. Establish connections test1 and test2 as "ipsec auto --up test1/test2"

3. In failed case, the 2nd connection wont go through. And in success case, both connections will go through.

4. connection can be checked by "ip xfrm policy/state" commands.
Comment 9 IBM Bug Proxy 2011-03-18 21:41:27 UTC 
------- Comment From spieth.com 2011-03-17 20:02 EDT-------
---Problem Description---
Openswan-IKEv2 can not setup 2nd SA with traffic selector for different host behind the same security gateway
Contact Information = spieth.com

---uname output---
na

Machine Type = na

---Debugger---
A debugger is not configured

---Steps to Reproduce---
na

---All Component Data---
Comment 11 errata-xmlrpc 2011-05-19 13:55:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0652.html