Bug 126646

Summary: lan to lan doesn't seem to work
Product: [Fedora] Fedora Reporter: Stephen Moore <stephen>
Component: system-config-networkAssignee: Harald Hoyer <harald>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: stefang
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-07-05 08:16:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipsec config file
none
ipsec config file - branch end none

Description Stephen Moore 2004-06-24 06:22:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510

Description of problem:
Cant establish a vpn, it doesnt look as if it can work as the setkey
command is not executed. A route add is attempted before the vpn is
established

Version-Release number of selected component (if applicable):
ipsec-tools-0.2.5-2

How reproducible:
Always

Steps to Reproduce:
1.Click on activate
2.no vpn
3.
    

Actual Results:  no vpn and no entries from setkeys -D

Expected Results:  vpn that works

Additional info:
Comment 1 Bill Nottingham 2004-06-29 05:07:02 UTC 
Please attach your config files.
Comment 2 Stephen Moore 2004-06-30 00:50:51 UTC 
Created attachment 101524 [details]
ipsec config file

Main lan end of vpn
Comment 3 Stephen Moore 2004-06-30 01:38:21 UTC 
Attempting this configuration

   Branch LAN
 192.168.3.0/24
       |
  192.168.3.20 
       |
  _____|_____
 |    eth0   |
 |           |
 |   Branch  |
 |           |
 |    ppp0   |
 |___________|
       |
 138.130.229.129
       |
       |
    Internet
       |
       |
  203.51.193.92
       |
  _____|_____
 |    ppp0   |
 |           |
 | Corporate |
 |           |
 |    eth0   |
 |___________|
       |
 203.30.176.2
       |
 Corporate LAN
203.30.176.0/24
Comment 4 Stephen Moore 2004-06-30 01:41:39 UTC 
Created attachment 101525 [details]
ipsec config file - branch end
Comment 5 Stephen Moore 2004-06-30 01:53:18 UTC 
We have manually generated the encryption keys using the tool
provided. However the script that starts the ipsec connection seems
broken. We set -x on the script and the following is the tail of the
output.

+ '[' -n 192.168.3.0/24 -o -n 203.30.176.0/24 ']'
+ MODE=tunnel
+ '[' -n '' ']'
+ '[' -z manual ']'
+ '[' -z '' ']'
++ ip -o route get to 138.130.229.129
++ sed 's|.*src \([^ ]*\).*|\1|'
+ SRC=203.51.193.92
+ '[' manual = manual ']'
+ '[' -z '' ']'
+ AH_PROTO=hmac-sha1
+ '[' -z '' ']'
+ ESP_PROTO=3des-cbc
+ '[' tunnel = host ']'
+ '[' -z 192.168.3.0/24 ']'
+ '[' -z 203.30.176.0/24 ']'
+ ip route add to 203.30.176.0/24 via 138.130.229.129
RTNETLINK answers: Network is unreachable
+ /sbin/setkey -c
+ '[' manual = automatic ']'
Comment 6 Stephen Moore 2004-06-30 01:58:11 UTC 
What we can't get past is that the ip route command comes before the
setkey command. I messed with the script to get it to echo to stdout
the setkey command.

We tried this command manually with no luck also. We have also tried
the script at http://www.ipsec-howto.org/ with no luck (were losers).
So we are fairly stuck at this point.
Comment 7 Bill Nottingham 2004-06-30 02:37:04 UTC 
I think the config is wrong... what happens if you switch the DST in
the two files?
Comment 8 Stephen Moore 2004-06-30 04:26:45 UTC 
we have a dynamic ip addresses (we have applied for a static ip) at
the moment, so our ppp0 ip addressess are going to change from time to
time. Given that after changing the DST addressess this is the out put
of my echoie ifup.

[root@mail root]# ifup /etc/sysconfig/network-scripts/ifcfg-Dump 
Were here
RTNETLINK answers: File exists
add 138.130.228.48 138.130.228.48 esp -m tunnel -E 3des-cbc
"75de8308eb3420019b64928738bc971d";
add 138.130.228.48 138.130.228.48 esp -m tunnel -E 3des-cbc
"75de8308eb3420019b64928738bc971d";
add 138.130.228.48 138.130.228.48 ah -m tunnel -A hmac-sha1
"5b7c2e823cdc57841add1068b65399e0";
add 138.130.228.48 138.130.228.48 ah -m tunnel -A hmac-sha1
"5b7c2e823cdc57841add1068b65399e0";
spdadd 203.30.176.0/24 192.168.3.0/24 any -P out ipsec
esp/tunnel/138.130.228.48-138.130.228.48/require
ah/tunnel/138.130.228.48-138.130.228.48/require
spdadd 192.168.3.0/24 203.30.176.0/24 any -P in ipsec
esp/tunnel/138.130.228.48-138.130.228.48/require
ah/tunnel/138.130.228.48-138.130.228.48/require
[root@mail root]#  /sbin/setkey -D
No SAD entries.
Comment 9 Bill Nottingham 2004-06-30 04:36:50 UTC 
Heh, you've got debugging in the script. Is setkey throwing an error?
(Don't redirect the output, etc...)
Comment 10 stef 2004-06-30 04:57:08 UTC 
We've added debugging to the script so we can see the commands its
issuing to setkey.

Without the echoyness it only returns:

RTNETLINK answers: File exists



setkey does not appear to be throwing an error
Comment 11 stef 2004-06-30 06:09:04 UTC 
my bad - found the redirects you were talking about

setkey is throwing parse errors

i changed script again to output the vars its using:

[root@mail root]# ifup /etc/sysconfig/network-scripts/ifcfg-Dump 
RTNETLINK answers: File exists
SRC=138.130.228.48
DST=138.130.228.48
SPI_AH_OUT=
SPI_AH_IN=
SRCNET=203.30.176.0/24
DSTNET=192.168.3.0/24
SPI_ESP_OUT=
SPI_ESP_IN=
line 1: parse error at [;]
parse failed, line 1.


thinking its got something to do with the vars
SPI_AH_IN/OUT and SPI_ESP_IN/OUT not being populated
Comment 12 Bill Nottingham 2004-06-30 19:20:54 UTC 
If you're using completely manual keys, you need SPIs set.

They're arbitrary-but-unique-per-host numbers (from 1 to 65536); _IN
on one side needs to match _OUT on the other. They're connection
identifiers.
Comment 13 stef 2004-07-01 02:42:26 UTC 
Set SPI's and got past that error ...

The key generated by network tool is the wrong length for the
default encryption types.

Manually adjusting the keys got it to work - thanks.
Comment 14 Bill Nottingham 2004-07-01 02:44:54 UTC 
So, it all works now with the configuration?
Comment 15 stef 2004-07-01 04:37:15 UTC 
The comments at the top of the ifup-ipsec script make sense now that
its working. Basically, i was missing the SPI ids and keys weren't
right for the encryption.

It doesn't seem to add the route but I *can* ping something over there :)
Comment 16 Bill Nottingham 2004-07-01 18:07:00 UTC 
Closing as worksforme, then.
Comment 17 stef 2004-07-01 22:24:17 UTC 
As we used the ipsec wizard in the system-config-network gui app,
it may be a bug that these ids and keys were incorrect or missing.
Comment 18 Harald Hoyer 2004-07-02 08:25:56 UTC 
fixed in the development tree with system-config-network-1.3.17-2
I think of releasing a bugfix erratum for FC2.
Could you please test system-config-network-1.3.17-2 ??
Comment 19 Harald Hoyer 2004-07-02 08:26:54 UTC 
hmm, bug #127114 seems to be a duplicate of this one..
Comment 20 stef 2004-07-05 05:03:06 UTC 
The ipsec wizard in system-config-network-1.3.17-2 works nicely, thanks.
Comment 21 Harald Hoyer 2004-07-05 08:16:39 UTC 
*** Bug 127114 has been marked as a duplicate of this bug. ***