Bug 150094

Summary: racoon/setkey won't complete connection to openswan
Product: [Fedora] Fedora Reporter: Douglas E. Warner <silfreed>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: bojan, rbulling, rvokal, triage
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-07 00:07:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
FC3 Openswan Config Excerpt
FC3 Openswan Log when tunnel is trying to come up
FC2 Racoon ifcfg interface
FC2 Racoon modified $DST.conf
FC2 Racoon Log when tunnel is trying to come up
FC2 ifup-ipsec modified lines to make tunnel work
Patch to disable AH in RHEL4 none

Description Douglas E. Warner 2005-03-02 14:48:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
I have an FC2 box that I'm trying to use racoon/setkey to connect to a FC3 box using openswan.  The FC3 box has been running for some time with various VPN connections and is known to work.
I was trying to setup the FC2 box using the init scripts provided that use ifup/down-ipsec.  I was able to get the connection to the point where it would try to come up, but the SA was never completed using the default config.
In the racoon config I had to make sure that it used main mode instead of aggressive.
In the ifup-ipsec script (the part I don't like modifying), I had to modify the setkey options to not setup an AH connection and set the ESP connection to 'unique'.  All my steps were helped with the instructions from this web page:

I should note that this was all done with automatic keying and PSKs.

Packages on each box are below.

== FC3 Box using openswan ==

== FC2 Box using racoon/setkey ==

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup an open/freeswan server
2. Setup an fc2 server and configure the ifcfg-ipsec interface
3. Try to bring up the tunnel

Actual Results:  The tunnel fails to fully come up.  Both sides get 'stuck'.

Expected Results:  Tunnel should come up with minimal config changes.  Interop with openswan should be a design goal, I would think, since both are packaged with FC3.

Additional info:

I think modifying the $DST.conf file to change the exchange mode is fine.  If there was some way to specify the setkey options in a generated file similar to the way the $DST.conf file is generated it would be much cleaner than modifying the ifup-ipsec.

Comment 1 Douglas E. Warner 2005-03-02 14:49:20 UTC
Created attachment 111571 [details]
FC3 Openswan Config Excerpt

Comment 2 Douglas E. Warner 2005-03-02 14:50:29 UTC
Created attachment 111572 [details]
FC3 Openswan Log when tunnel is trying to come up

Comment 3 Douglas E. Warner 2005-03-02 14:51:46 UTC
Created attachment 111573 [details]
FC2 Racoon ifcfg interface

Comment 4 Douglas E. Warner 2005-03-02 14:52:14 UTC
Created attachment 111574 [details]
FC2 Racoon modified $DST.conf

Comment 5 Douglas E. Warner 2005-03-02 14:52:48 UTC
Created attachment 111575 [details]
FC2 Racoon Log when tunnel is trying to come up

Comment 6 Douglas E. Warner 2005-03-02 14:53:34 UTC
Created attachment 111576 [details]
FC2 ifup-ipsec modified lines to make tunnel work

Comment 7 Richard Bullington-McGuire 2005-11-09 20:34:59 UTC
This FreeSWAN interoperability problem also exists in RHEL 3 and RHEL 4. Adding
an option to the ifconfig-ipsec* configuration files that gets parsed by the
ifup-ipsec script could help. That option should specify whether AH is required.
It should be enabled by default, but you should be able to turn it off if your
IPSEC peer does not support AH.

Comment 8 Richard Bullington-McGuire 2005-11-09 20:51:50 UTC
Created attachment 120854 [details]
Patch to disable AH in RHEL4

Here's a patch vs. RHEL4 that disables AH completely. I would not propose
including this patch directly, but instead to use it for testing so that a
working ifup-ipsec that understands some sort of syntax in ifcfg-ipsec* similar
to one of:

# This option would require both AH and ESP (the status quo)

# This option would require only ESP, yielding results similar to the
# enclosed patch

Comment 9 Richard Bullington-McGuire 2006-01-27 12:56:26 UTC
Note that I did not get racoon to completely interoperate with the patch that I
posted on 2005-11-09, but it did help the key negotiation proceed farther than
it had before.

Comment 10 Bug Zapper 2008-04-03 15:53:21 UTC
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 11 Bug Zapper 2008-05-07 00:06:58 UTC
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here: