Bug 739482 - Openswan problem with ikev2 options
Summary: Openswan problem with ikev2 options
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan
Version: 6.1
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-19 08:34 UTC by David Spurek
Modified: 2016-09-11 19:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-11 19:17:22 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David Spurek 2011-09-19 08:34:54 UTC 
Description of problem:
Problem with ikev2 option. If I run a test case with ikev2=yes option required on both sides the funcionality is ok. But if I add another connection to ipsec.conf with required ikev2=insist on both sides, this test case fail (If I run test with ikev2=insist only, the funcionality is ok).

If i first run test case with required ikev2=insist on both sides, it works fine. If I add second connection with ikev2=yes to ipsec.conf and then try the funcionality, test case fail.

Version-Release number of selected component (if applicable):
openswan-2.6.32-6.el6

How reproducible:
always

Steps to Reproduce:
1.To ipsec.conf add (on both sides)
conn ike_yes
        left=192.168.122.212
        right=192.168.122.179
	auto=add
	authby=secret
	type=transport
	ike=aes256-md5
	ikev2=yes
	phase2=esp

Then run (on both sides):
ip xfrm state flush
ip xfrm policy flush
service ipsec restart && sleep 5	
ipsec auto --route ike_yes 

On 192.168.122.212 run:
nc 192.168.122.212 -l 6000

On 192.168.122.179 run:
echo 'Hi' | nc -w 10 -v 192.168.122.212 6000

2.Add second connection to ipsec.conf (On both sides):
conn ike_insist
        left=192.168.122.212
        right=192.168.122.179
	auto=add
	authby=secret
	type=transport
	ike=aes256-md5
	ikev2=insist
	phase2=esp

Then run (on both sides):
ip xfrm state flush
ip xfrm policy flush
service ipsec restart && sleep 5	
ipsec auto --route ike_insist

On 192.168.122.212 run:
nc 192.168.122.212 -l 6000

On 192.168.122.179 run:
echo 'Hi' | nc -w 10 -v 192.168.122.212 6000
  
Actual results:
NC succeed in first test case. In second test case NC fail (NC output is nc: connect to rhel61-clone port 6000 (tcp) timed out: Operation now in progress)

Expected results:
NC should succeed on both test cases.

Additional info:
Comment 1 RHEL Program Management 2012-05-03 04:43:14 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 2 Paul Wouters 2013-05-17 19:52:21 UTC 
I'm not sure if this is a bug.

You are adding two connections for which the policy is basically the same as the wire policies are involved, if I rewrite your test case:

conn test-insist
    ikev2=insist
    also=base

conn test-yes
    ikev2=yes
    also=base

conn base
        left=192.168.122.212
        right=192.168.122.179
	auto=add
	authby=secret
	type=transport
	ike=aes256-md5
	phase2=esp

Assume the order of loading all connections is semi-random. What should we do?

Ideally, those two connections should never be able to both get loaded. But even if we managed to reject the slowest loading one, it is not guaranteed that the same one would get rejected every time to start libreswan.
Note You need to log in before you can comment on or make changes to this bug.