Bug 145846
Summary: | problem with netfilter and ipsec | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | E. Lefty Kreouzis <lefty> | ||||
Component: | kernel | Assignee: | David Miller <davem> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 3 | CC: | davej, dgunchev, trevor, wtogami | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-09-29 08:17:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
E. Lefty Kreouzis
2005-01-22 08:56:10 UTC
Created attachment 110088 [details]
gateway iptables configuration
The problem exists also withe the following simple iptables configuration: # Generated by iptables-save v1.2.11 on Sat Jan 22 11:01:47 2005 *mangle :PREROUTING ACCEPT [35788:8346069] :INPUT ACCEPT [17225:1329797] :FORWARD ACCEPT [15377:6749388] :OUTPUT ACCEPT [13496:2656364] :POSTROUTING ACCEPT [28823:9531852] COMMIT # Completed on Sat Jan 22 11:01:47 2005 # Generated by iptables-save v1.2.11 on Sat Jan 22 11:01:47 2005 *filter :INPUT ACCEPT [162:13225] :FORWARD ACCEPT [48:4032] :OUTPUT ACCEPT [102:16280] COMMIT # Completed on Sat Jan 22 11:01:47 2005 # Generated by iptables-save v1.2.11 on Sat Jan 22 11:01:47 2005 *nat :PREROUTING ACCEPT [2151:189759] :POSTROUTING ACCEPT [1069:144712] :OUTPUT ACCEPT [33:3432] -A POSTROUTING -s 10.3.0.0/255.255.255.0 -o ippp0 -j MASQUERADE COMMIT # Completed on Sat Jan 22 11:01:47 2005 I'm seeing something like this also. At first I thought it was my routing tables or my iptables, but I've quickly exhausted every fix and test case I can think of. I too have a working setup with 2.6.9-1.681 (patched to handle the ipsec/NAT bug). I'm attempting to make another setup where both sides are 2.6.10.766_FC3 (again patched to handle the ipsec/NAT bug) and weird stuff is happening: 1. ping gateway to gateway WORKS (I have both a tunnel and transport setup) 2. ping gateway to remote host FAILS -- the ping gets encapsulated and sent to the remote gateway and there enters PREROUTING chain and then is dropped/lost for no apparent reason 3. ping host to remote host FAILS -- generates ICMP dest_unreach net_unreach on local gateway. Doesn't generate any traffic over the ipsec link. This may be a routing issue, but my routing is simple and I'm pretty sure it is correct (works on 2.6.9). I'll do more testing on 2.6.10 and check out some other bugs and report back. duplicate of 145773 ? Fix is try ipsec-tools-0.5-rc1? I'll test that out. 145507 could possibly be related. Looks like new semantics for us folk doing manual setkey stuff. Must add fwd spd's. This sounds most promising. Ta-da! It's magic! Add yourself some matching -P fwd rules for every -P in spdadd you do with setkey. Definitely this is a usage issue "feature" that changed between 2.6.9 and 2.6.10. I'm not sure how a newer ipsec-tools would help, unless it automatically adds fwd's for every in? That would not really make sense. This bug will hit anyone who has a working MANUALLY CONFIGURED 2.6.9 ipsec setup and then upgrades to 2.6.10. It will just stop working for most packet traversal cases. Hopefully they will see this and not waste 3 hours troubleshooting like I did! If you use the (redhat specific?) ifup-ipsec scripts then the next version will probably fix the problem automatically for you (ala bug 145507). So this bug isn't really a bug as there's really nothing to fix (on the vendor side). An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which may contain a fix for your problem. Please update to this new kernel, and report whether or not it fixes your problem. If you have updated to Fedora Core 4 since this bug was opened, and the problem still occurs with the latest updates for that release, please change the version field of this bug to 'fc4'. Thank you. Note, as per other bugs on this subject, the newer ipsec-tools and/or other packages have this problem fixed so you don't need to manually add fwd rules anymore. So this bug was just a transient problem. As of ipsec-tools-0.5-2.fc3 the behaviour should be the same as it originally was. Also note, adding the fwd rules anyways didn't seem to hurt anything, even with the updated packages. Don't quote me on that though. |