Description of problem: Openswan is no more able to established a NAT-d communication. Version-Release number of selected component (if applicable): How reproducible: Try to setup a NAT-d I had the exact same behavior on my mga4 as shown on this thread. I did apply that patch (had to fix the filename in the patch to gain the -p0) and rebuilt the openswan package. http://comments.gmane.org/gmane.network.openswan.user/22391 Since it works perfectly. I don't know if this is the right way to fix it (is there a better fix upstream ?) but it worked. Reproducible: Steps to Reproduce:
Assignee: bugsquad => luigiwalser
Cauldron is also affected.
Yes, the same patch exists upstream: https://github.com/xelerance/Openswan/commit/b6041cb5d1d07974596be79606a977e88dd9ec48
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ---------------------------------------- The fixes in Openswan for the CVE-2013-6466 security issue caused the NAT traversal feature to stop working. This functionality has been restored. References: http://permalink.gmane.org/gmane.network.openswan.user/22393 ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- openswan-2.6.28-5.2.mga3 openswan-doc-2.6.28-5.2.mga3 openswan-2.6.39-3.2.mga4 openswan-doc-2.6.39-3.2.mga4 from SRPMS: openswan-2.6.28-5.2.mga3.src.rpm openswan-2.6.39-3.2.mga4.src.rpm
CC: (none) => luigiwalserAssignee: luigiwalser => qa-bugsWhiteboard: (none) => MGA3TOOSeverity: major => normal
Erwan can you please verify the updates correct the issue for you. Thanks
Tested it and the patch is ok.
Thanks Erwan. Which architecture and release did you test?
(In reply to David Walser from comment #6) > Thanks Erwan. Which architecture and release did you test? x86_64
and mga4 sorry
OK, thanks.
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Basic test procedure: https://bugs.mageia.org/show_bug.cgi?id=7095#c7
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK
Testing on Mageia4-32 Using test procedure in Comment 10 With normal package : ------------------- openswan Version : 2.6.39-3.1.mga4 openswan-doc Version : 2.6.39-3.1.mga4 # service ipsec start ipsec_setup: Starting Openswan IPsec 2.6.39... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY (...) waited a long long time but read in https://bugs.mageia.org/show_bug.cgi?id=7095#c9 that it was expected on first use of openswan. and ... ipsec_setup: mv: cannot stat '/etc/openswan/ipsec.secrets.new': No such file or directory ipsec_setup: 003 "/etc/openswan/ipsec.secrets" line 2: premature end of RSA key ipsec_setup: 003 "/etc/openswan/ipsec.secrets" line 20: malformed end of RSA private key -- unexpected token after '}' # service ipsec status IPsec running - pluto pid: 4525 pluto pid 4525 No tunnels up # service ipsec stop ipsec_setup: Stopping Openswan IPsec... # service ipsec status IPsec stopped With testing packages : --------------------- - openswan-2.6.39-3.2.mga4.i586 - openswan-doc-2.6.39-3.2.mga4.i586 # service ipsec start ipsec_setup: Starting Openswan IPsec 2.6.39... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY * didn't have to wait this time, I guessed it use the ipsec.secrets (in/etc/openswan) already generated. # service ipsec status IPsec running - pluto pid: 5542 pluto pid 5542 No tunnels up # service ipsec stop ipsec_setup: Stopping Openswan IPsec... # service ipsec status IPsec stopped With testing packages (secound round) : --------------------- As I was bothered with output messages after generating the key, uninstalled openswan-testing, removed /etc/openswan/ipsec.secrets, reinstalled openswan-testing. # service ipsec start ipsec_setup: Starting Openswan IPsec 2.6.39... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY After a long wait, gave me the prompt with no error messages and generated a new/etc/openswan/ipsec.secrets # service ipsec status IPsec running - pluto pid: 9337 pluto pid 9337 No tunnels up # service ipsec stop ipsec_setup: Stopping Openswan IPsec... # service ipsec stop ipsec_setup: Stopping Openswan IPsec... Ipsec Service started, stopped and reported its status correctly with - openswan-2.6.39-3.2.mga4.i586
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32 OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK
Testing complete on Mageia 3 64bit with procedure from comment 10, same output as comment 11 (apart from the mv issue with the .new file).
CC: (none) => remiWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2014-0183.html
Status: NEW => RESOLVEDResolution: (none) => FIXED