Bug 110723

Summary: Will dhcrelay work through IPSEC in FC2?
Product: [Fedora] Fedora Reporter: Stefan Christians <bugzilla>
Component: dhcpAssignee: Jason Vas Dias <jvdias>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 1   
Target Milestone: ---   
Target Release: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-16 00:26:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
enable dhcrelay to function when running on endpoint of ipsec tunnel
none
enable dhcrelay to function when running on endpoint of ipsec tunnel none

Description Stefan Christians 2003-11-24 09:42:17 UTC 
We would like to ask the dhcp package maintainers to keep in mind
following problems when dhcp is re-packaged for Fedora Core 2 with 2.6
kernel.

Description of problem:
If the dhc relay agent is running on the machine which functions as
VPN-gateway using IPSEC, it can not contact the dhcp server.

Version-Release number of selected component (if applicable):
dhcp-3.0pl1-9
FreeS/wan 1.99
on RHL8

How reproducible:
always

Steps to Reproduce:
either
1. reboot the machine with dhcrelay and ipsec chkconfigged on
or
1. service ipsec start
2. and then immidiately service dhcrelay start
  
Actual results:
dhcrelay can not contact the dhcp server through the virtual ipsec
interface.

Expected results:
dhcrelay should relay dhcp information

Additional info:

1) We had to change the startup priority in dhcrelay's init script to
98. There seems to be a time lag between when the ipsec service has
started and when the virtual interface becomes available. 

2) We had to recompile dhcrelay with USE_SOCKETS defined in
includes/sites.h for dhcrelay to work over the virtual ipsec interface.

Not sure whether this will still be an issue with ipsec integrated in
the 2.6 kernel, so we just want to make this "pre-emptive" bug report
to ensure that dhcrelay will work out of the box when fc2 is released.
Comment 1 Daniel Walsh 2004-03-25 19:00:27 UTC 
Have you checked this on FC2?
Comment 2 Stefan Christians 2004-03-27 18:43:32 UTC 
Created attachment 98901 [details]
enable dhcrelay to function when running on endpoint of ipsec tunnel

Just finnished checking it on FC2 Test1:

1) startup priority
Setkey does not create a virtual interface, so the physical interfaces dhcrelay
listens on all already exist at the current startup priority.
No need to change anything

2) define USE_SOCKETS
Still, if USE_SOCKETS is not defined in includes/site.h, dhcrelay will not work
through ipsec if it is on the vpn gateway itself.
Looking at the IP-traffic, dhcrelay contacts the dhcp server and gets the
response back, but does not forward it to the client.

A patch for defining USE_SOCKETS is attached.
However, the description of this function sounds a little bit scary, and I have
no none-redhat clients available to test it with other dhcp clients.
Comment 3 Stefan Christians 2004-03-27 18:45:22 UTC 
Created attachment 98902 [details]
enable dhcrelay to function when running on endpoint of ipsec tunnel

Just finnished checking it on FC2 Test1:

1) startup priority
Setkey does not create a virtual interface, so the physical interfaces dhcrelay
listens on all already exist at the current startup priority.
No need to change anything

2) define USE_SOCKETS
Still, if USE_SOCKETS is not defined in includes/site.h, dhcrelay will not work
through ipsec if it is on the vpn gateway itself.
Looking at the IP-traffic, dhcrelay contacts the dhcp server and gets the
response back, but does not forward it to the client.

A patch for defining USE_SOCKETS is attached.
However, the description of this function sounds a little bit scary, and I have
no none-redhat clients available to test it with other dhcp clients.
Comment 4 Jason Vas Dias 2005-06-03 16:41:07 UTC 
Sorry for the delay in processing this bug - it somehow slipped
through the cracks.

Is this still an issue with FC-3/4 2.6+ kernel ipsec support ?

I am investigating .
Comment 5 Jason Vas Dias 2006-03-16 00:26:26 UTC 
No, dhcp currently will NOT work with USE_SOCKETS - for many reasons.
This is being worked on upstream at the ISC.