Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 160975 Details for
Bug 251494
Cannot use IPsec tools with ESP or AH only
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
This patch adds configuration parameters for authentication and encryption algorithms used during PHASE 1 of IPsec SA.
ipsec-tools_sysconfig_split-phase1-phase2-auth-enc-algorithms.diff (text/plain), 6.58 KB, created by
Stijn Tintel
on 2007-08-09 13:24:46 UTC
(
hide
)
Description:
This patch adds configuration parameters for authentication and encryption algorithms used during PHASE 1 of IPsec SA.
Filename:
MIME Type:
Creator:
Stijn Tintel
Created:
2007-08-09 13:24:46 UTC
Size:
6.58 KB
patch
obsolete
>RedHat's sysconfig scripts mix up PHASE 1 and PHASE 2 of IPsec SA. AH_PROTO and ESP_PROTO are used ONLY during PHASE 2 of IPsec SA. Nonetheless, RedHat uses the values of these variables to configure both PHASE 1 and PHASE 2 of IPsec SA. In addition, if AH_PROTO or ESP_PROTO are set to "none", RedHat scripts will change them to sha1 and 3des, since you need both authentication and encryption for ISAKMP. > >The downside of this approach is that because of this mixup, you simply cannot disable AH or ESP. Since ESP also supports authentication, there are cases where you don't want to use AH for that purpose. Even stronger, since AH can be problematic with endpoints behind NAT, AH simply isn't suitable in some cases. Cisco even chose to completely drop AH support in recent versions of their PIX firewall software, so currently it is virtually impossible to create an IPsec VPN between a RHEL 5 and a recent Cisco PIX device. > >This patch adds configuration parameters for authentication and encryption algorithms used during PHASE 1 of IPsec SA, and disables the re-enabling of AH_PROTO and/or ESP_PROTO when they are explicitly set to none. The setkey command has been splitted in several parts to allow the use of only AH or only ESP. > >Note that this patch likely lacks some sanity checks, but it works for my scenario and it is certainly a lot better than the way how things are currently handled. >--- ifup-ipsec 2007-08-09 14:41:51.000000000 +0200 >+++ ifup-ipsec.new 2007-08-09 14:53:58.000000000 +0200 >@@ -102,22 +102,39 @@ > [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes > [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes > else >+ [ -z "$IKE_AUTH" ] && IKE_AUTH=sha1 >+ [ -z "$IKE_ENC" ] && IKE_ENC=3des > [ -z "$AH_PROTO" ] && AH_PROTO=sha1 > [ -z "$ESP_PROTO" ] && ESP_PROTO=3des > >+ # We need IKE Authentication and Encryption algorithms since $KEYING = auto >+ if [ "$IKE_AUTH" = "none" ]; then >+ IKE_AUTH=sha1 >+ fi >+ if [ "$IKE_ENC" = "none" ]; then >+ IKE_ENC=3des >+ fi >+ >+ if [ "$AH_PROTO" != "none" ]; then > SPD_AH_IN=yes > SPD_AH_OUT=yes >+ fi >+ if [ "$ESP_PROTO" != "none" ]; then > SPD_ESP_IN=yes > SPD_ESP_OUT=yes >+ fi > fi > > if [ "$AH_PROTO" = "none" ]; then > unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT >- AH_PROTO=sha1 # To silence racoon >+ # If people choose to disable AH, let them do so, they likely have a very good reason for it >+ #AH_PROTO=sha1 # To silence racoon > fi >+ > if [ "$ESP_PROTO" = "none" ]; then > unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT >- ESP_PROTO=3des # To silence racoon >+ # If people choose to disable ESP, let them do so, they likely have a very good reason for it >+ #ESP_PROTO=3des # To silence racoon > fi > > /sbin/setkey -c >/dev/null 2>&1 << EOF >@@ -129,24 +146,38 @@ > spddelete $SPD_DST $SPD_SRC any -P in; > ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} > ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} >+EOF > > # ESP >-${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ >--E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ >-${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} >-;} >-${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ >--E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ >-${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} >-;} >+if [ "$ESP_PROTO" != "none" ]; then >+ /sbin/setkey -c >/dev/null 2>&1 << EOF >+ ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ >+ -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ >+ ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} >+ ;} >+ ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ >+ -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ >+ ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} >+ ;} >+EOF >+fi > > # AH >-${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} >-${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} >+if [ "$AH_PROTO" != "none" ]; then >+ /sbin/setkey -c >/dev/null 2>&1 << EOF >+ ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} >+ ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} >+EOF >+fi > >+/sbin/setkey -c >/dev/null 2>&1 << EOF > ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} > ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} >+EOF > >+# This looks weird but if you use both ESP and AH you need to configure them together, not seperately. >+if [ "$ESP_PROTO" != "none" ] && [ "$AH_PROTO" != "none" ]; then >+/sbin/setkey -c >/dev/null 2>&1 << EOF > spdadd $SPD_SRC $SPD_DST any -P out ipsec > ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} > ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} >@@ -157,6 +188,27 @@ > ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} > ; > EOF >+elif [ "$AH_PROTO" = "none" ]; then >+/sbin/setkey -c >/dev/null 2>&1 << EOF >+spdadd $SPD_SRC $SPD_DST any -P out ipsec >+ ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} >+ ; >+ >+spdadd $SPD_DST $SPD_SRC any -P in ipsec >+ ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} >+ ; >+EOF >+elif [ "$ESP_PROTO" = "none" ]; then >+/sbin/setkey -c >/dev/null 2>&1 << EOF >+spdadd $SPD_SRC $SPD_DST any -P out ipsec >+ ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} >+ ; >+ >+spdadd $SPD_DST $SPD_SRC any -P in ipsec >+ ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} >+ ; >+EOF >+fi > > if [ "$KEYING" = "automatic" ]; then > if [ "$IKE_METHOD" = "PSK" ]; then >@@ -176,8 +228,8 @@ > cat >> /etc/racoon/$DST.conf << EOF > my_identifier address; > proposal { >- encryption_algorithm $ESP_PROTO; >- hash_algorithm $AH_PROTO; >+ encryption_algorithm $IKE_ENC; >+ hash_algorithm $IKE_AUTH; > authentication_method pre_shared_key; > dh_group 2 ; > } >@@ -198,8 +250,8 @@ > fi > cat >> /etc/racoon/$DST.conf << EOF > proposal { >- encryption_algorithm $ESP_PROTO; >- hash_algorithm $AH_PROTO; >+ encryption_algorithm $IKE_ENC; >+ hash_algorithm $IKE_AUTH; > authentication_method rsasig; > dh_group 2; > } >@@ -210,8 +262,8 @@ > cat >> /etc/racoon/$DST.conf << EOF > my_identifier address; > proposal { >- encryption_algorithm $ESP_PROTO; >- hash_algorithm $AH_PROTO; >+ encryption_algorithm $IKE_ENC; >+ hash_algorithm $IKE_AUTH; > authentication_method gssapi_krb; > dh_group 2 ; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=160975">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 251494
: 160975