2017-11-17 21:16 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005832CentOS-6openswanpublic2013-12-03 13:45
Reportergstreeter 
PrioritynormalSeveritymajorReproducibilityalways
StatusassignedResolutionopen 
PlatformAMDOSLinuxOS VersionCentOS 6.3
Product Version6.3 
Target VersionFixed in Version 
Summary0005832: Openswan IPSEC not working after package update
DescriptionAfter installing the updated Openswan package (openswan.i686 0:2.6.32-18.el6_3) released today 13 Jul 12 I can no longer create L2TP/IPSEC connections to my server from other devices. There are no error messages in the logs and the openswan pluto.log shows the SA being established as normal but the devices time out and report unable to establish the connection. I rolled back to the previous package (openswan.i686 0:2.6.32-18.el6) and normal operation was restored.

With the updated package the connections do not progress from STATE_QUICK_R2 to STATE_MAIN_R3
Steps To Reproduce1) Setup Openswan L2TP/IPSEC VPN successfully with openswan.i686 0:2.6.32-18.el6

2) Upgrade to openswan.i686 0:2.6.32-18.el6_3

3) Clients can no longer connect to the VPN server.
Additional InformationNo error message found in any associated logs. SELinux set to permissive but same result.
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0015497

arrfab (administrator)

It seems there is a regression in the openswan-2.6.32-18.el6_3 package.
I can't confirm your issue, but mine is really close to yours :
after updating my openswan package to openswan-2.6.32-18.el6_3 (from openswan-2.6.32-16.el6 - 6.3[base]), i can't initiate anymore ipsec/l2tp connection anymore (so on my side, i'm a client, not a server)
Reverting back to 2.6.32-16.el6 fixes the issue.
I've not (yet) had free time to investigate on that issue and i don't see a relevant bug report on upstream bugzilla wrt that issue (seems l2tp/ipsec combination issue)

~0015498

arrfab (administrator)

Two people acking on a regression with the latest version of openswan package

~0015511

gstreeter (reporter)

My original report was slightly wrong as I reverted to 2.6.32-16.el6 as well. Both Android (Gingerbread) and IOS 5.1 clients now cannot connect to the CentOS server if upgraded to 2.6.32-18.el_3

~0015519

acdmail (reporter)

Exactly the same issue for me everything is working ok with openswan-2.6.32-18.el_2 but not with openswan-2.6.32-18.el6_3 (Windows 7 clients)

~0015523

gstreeter (reporter)

I have removed the distribution packaged version of Openswan and replaced this with a local build using the downloaded source for the latest version from the Openswan project (2.6.38). This functions correctly and I am able to establish ipsec/l2tp connections from my Android and IOS clients.

~0015556

gstreeter (reporter)

Having replaced the flawed Openswan with the working release I find that the new update to XL2TPD released today has once again broken IPSEC/L2TP. Dear upstream, doesn't anyone bother to test their changes anymore? The sole reason I use CentOS is to run the VPN server. These multiple failures thanks to upstream render the system useless. What a waste of time. Hardly a great advert for converting to Linux.

~0015557

gstreeter (reporter)

XL2TPD error is:
Jul 26 21:53:01 pppd[22778]: /usr/lib/./pppd/2.4.5/pppol2tp.so: cannot open shared object file: No such file or directory
Jul 26 21:53:01 pppd[22778]: Couldn't load plugin pppol2tp.so

~0015558

gstreeter (reporter)

Fix for xl2tpd is to include the following line in xl2tpd.conf:

[global]
force userspace =yes

~0015566

kipkoan (reporter)

I can also confirm both of these regressions (openswan & xl2tpd). To resolve, I had to downgrade openswan from 2.6.32-18.el6_3 to 2.6.32-16.el6:

    yum downgrade openswan

... and I had to add what gstreeter provided to /etc/xl2tpd/xl2tpd.conf

    force userspace = yes

in the "[global]" section.

~0016021

raymii (reporter)

Can confirm this bug. Can also confirm that a yum downgrade openswan and the adding of force userspace = yes works to solve the problems.

These versions are working:
ipsec --version
Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.i686 (netkey)

xl2tpd --version
xl2tpd version: xl2tpd-1.3.1

~0017956

tigalch (manager)

How is this issue with openswan-2.6.32-21.el6_4?

~0017974

tigalch (manager)

still not solved with 2.6.32-21.el6_4

~0018528

tigalch (manager)

how is the issue with openswan-2.6.32-27.el6 released with 6.5?

~0018532

gstreeter (reporter)

I no longer use Openswan as this utility has not been maintained. I now use Strongswan with pure IPSec rather than l2tp and not with Centos.
+Notes

-Issue History
Date Modified Username Field Change
2012-07-13 09:38 gstreeter New Issue
2012-07-18 11:52 arrfab Note Added: 0015497
2012-07-18 11:53 arrfab Note Added: 0015498
2012-07-18 11:53 arrfab Status new => acknowledged
2012-07-19 19:56 gstreeter Note Added: 0015511
2012-07-20 20:57 acdmail Note Added: 0015519
2012-07-21 11:16 gstreeter Note Added: 0015523
2012-07-26 21:17 gstreeter Note Added: 0015556
2012-07-26 21:26 gstreeter Note Added: 0015557
2012-07-26 21:50 gstreeter Note Added: 0015558
2012-07-31 03:13 kipkoan Note Added: 0015566
2012-11-11 18:51 raymii Note Added: 0016021
2013-09-09 19:05 tigalch Note Added: 0017956
2013-09-11 20:31 tigalch Note Added: 0017974
2013-12-02 18:53 tigalch Note Added: 0018528
2013-12-02 18:53 tigalch Status acknowledged => feedback
2013-12-03 13:45 gstreeter Note Added: 0018532
2013-12-03 13:45 gstreeter Status feedback => assigned
+Issue History