Bug 711975 - incomplete policy for loopback when using *protoport=X/Y
incomplete policy for loopback when using *protoport=X/Y
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan (Show other bugs)
6.1
Unspecified Unspecified
urgent Severity medium
: rc
: ---
Assigned To: Avesh Agarwal
BaseOS QE Security Team
: Reopened, ZStream
Depends On:
Blocks: RHEL62CCC 718078 846801 846802
  Show dependency treegraph
 
Reported: 2011-06-09 03:30 EDT by Ondrej Moriš
Modified: 2012-08-08 14:29 EDT (History)
7 users (show)

See Also:
Fixed In Version: openswan-2.6.32-6.el6
Doc Type: Bug Fix
Doc Text:
IPsec connections over a loopback interface did not work properly when a specific port was configured. This was because incomplete IPsec policies were being set up, leading to connection failures. This update fixes this issue, and complete policies are now correctly established.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 14:05:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2011-06-09 03:30:00 EDT
Description of problem:

Using full {left,right}protoport options (e.g. tcp/6000) for connection with loopback=yes to force the following IPsec connections: 127.0.0.1 (tcp: any port) <--->  127.0.0.1 (tcp: port 6000) does not work. The reason (probably) is that SPD set by openswan is incomplete:

src 127.0.0.1/32 dst 127.0.0.1/32 dport 6000
      dir out priority 2080 ptype main
      tmpl src 0.0.0.0 dst 0.0.0.0
          proto esp reqid 16389 mode transport
src 127.0.0.1/32 dst 127.0.0.1/32 sport 6000
      dir in priority 2080 ptype main
      tmpl src 0.0.0.0 dst 0.0.0.0
          proto esp reqid 16389 mode transport 

Herbert Xu pointed out that the above policy is only one half and another one is missing.

Version-Release number of selected component (if applicable):

openswan-2.6.32-5.el6

How reproducible:

Always.

Reproducer:

# cat /etc/ipsec.conf
version    2.0

config setup
    protostack=netkey
    nat_traversal=yes
    plutostderrlog=/var/log/pluto.log

conn testA
        auto=add
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=3des-sha1
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes
        leftprotoport=tcp/6000

conn testB
        auto=add
        authby=secret
        type=transport
        left=127.0.0.1
        right=127.0.0.1
        ike=3des-sha1
        phase2=esp
        phase2alg=aes-sha1
        loopback=yes
        rightprotoport=tcp/6000

# echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm
# echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy

# ip xfrm state flush

# service ipsec restart

ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: ERROR: Module xfrm4_mode_transport is in use
ipsec_setup: ERROR: Module esp4 is in use
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-131.0.15.el6.i686...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

# ipsec auto --up testA

104 "testA" #1: STATE_MAIN_I1: initiate
003 "testA" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]
003 "testA" #1: received Vendor ID payload [Dead Peer Detection]
003 "testA" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "testA" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "testA" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "testA" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "testA" #1: received Vendor ID payload [CAN-IKEv2]
004 "testA" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "testA" #3: STATE_QUICK_I1: initiate
004 "testA" #3: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xf22bff4e <0xae762c81 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

# nc -lk 127.0.0.1 6000 > tcp.6000 &
# tcpdump -i lo -nn > tcpdump.lo &

# nc -w 30 -v 127.0.0.1 6000
nc: connect to 127.0.0.1 port 6000 (tcp) failed: Connection timed out

# cat tcp.6000
(empty)

# cat tcpdump.lo
02:13:27.613876 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E]
02:13:27.614051 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E]
02:13:27.628276 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E]
02:13:27.628454 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I inf[E]
02:13:34.318432 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident
02:13:34.318933 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident
02:13:34.323283 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident
02:13:34.327501 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident
02:13:34.331567 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident[E]
02:13:34.332918 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 1 I ident[E]
02:13:34.336094 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I oakley-quick[E]
02:13:34.344964 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I oakley-quick[E]
02:13:34.386974 IP 127.0.0.1.500 > 127.0.0.1.500: isakmp: phase 2/others I oakley-quick[E]
02:13:34.391466 IP 127.0.0.1.42551 > 127.0.0.1.6000: Flags [S], seq 2601463509, win 32792, options [mss 16396,sackOK,TS val 674523256 ecr 0,nop,wscale 6], length 0
02:13:37.390641 IP 127.0.0.1.42551 > 127.0.0.1.6000: Flags [S], seq 2601463509, win 32792, options [mss 16396,sackOK,TS val 674526256 ecr 0,nop,wscale 6], length 0
02:13:43.390628 IP 127.0.0.1.42551 > 127.0.0.1.6000: Flags [S], seq 2601463509, win 32792, options [mss 16396,sackOK,TS val 674532256 ecr 0,nop,wscale 6], length 0
02:13:57.393285 IP 127.0.0.1.42552 > 127.0.0.1.6000: Flags [S], seq 2962292024, win 32792, options [mss 16396,sackOK,TS val 674546258 ecr 0,nop,wscale 6], length 0
02:14:00.392649 IP 127.0.0.1.42552 > 127.0.0.1.6000: Flags [S], seq 2962292024, win 32792, options [mss 16396,sackOK,TS val 674549258 ecr 0,nop,wscale 6], length 0
02:14:06.392649 IP 127.0.0.1.42552 > 127.0.0.1.6000: Flags [S], seq 2962292024, win 32792, options [mss 16396,sackOK,TS val 674555258 ecr 0,nop,wscale 6], length 0

Firewall is disabled.
Comment 7 Martin Prpic 2011-07-13 15:43:13 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
IPsec connections over a loopback interface did not work properly when a specific port was configured. This was because incomplete IPsec policies were being set up, leading to connection failures. This update fixes this issue, and complete policies are now correctly established.
Comment 9 Avesh Agarwal 2011-08-29 09:47:51 EDT
Hello Eduard,

These bugs are already addressed in 6.1.z stream. 

I think, there was some confusion.  and I am going to put them back to Modified.


Avesh
Comment 13 errata-xmlrpc 2011-12-06 14:05:30 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1761.html

Note You need to log in before you can comment on or make changes to this bug.