Bug 147001

Summary: ifup-ipsec incompatible with kernel >= 2.6.10
Product: [Fedora] Fedora Reporter: Tyler Larson <redhat-bugzilla>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: high Docs Contact:
Priority: medium    
Version: 3CC: ckjohnson, fedora, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-07 20:06:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tyler Larson 2005-02-03 16:17:33 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
When setting up an ipsec tunnel using kernel >= 2.6.10, a forward
policy must also be defined using setkey.

Quote from http://www.ipsec-howto.org/x277.html :
---

Attention: When using the Linux kernel >= 2.6.10 you also have to
define the forward policy for the tunnel to work. You can create this
policy by copying the -P in policy and replacing in by fwd:

spdadd 172.16.2.0/24 172.16.1.0/24 any -P fwd ipsec
           esp/tunnel/192.168.2.100-192.168.1.100/require;

---



Version-Release number of selected component (if applicable):
initscripts-7.93.5-1

How reproducible:
Always

Steps to Reproduce:
1. upgrade to kernel >= 2.6.10
2. set up an ipsec tunnel
3. Attempt to use the tunnel from a box other than the tunnel endpoint

    

Actual Results:  traffic is not forwarded from the IPSec tunnel (the
tunnel is non-functional), though non-tunneled IPSec traffic does
travel over the IPSec link -- that is, endpoint-to-endpoint traffic
works, but traffic from other machines is not forwarded through the
tunnel.

Expected Results:  Traffic should be forwarded throught the tunnel

Additional info:

IPSec tunnels are non-functional anyway until bug #140654 is fixed.
Comment 1 Tyler Larson 2005-02-03 16:22:36 UTC 
Fix:
@@ -164,6 +164,12 @@
            ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
            ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
            ;
+
+spdadd $DSTNET $SRCNET any -P fwd ipsec
+           ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
+           ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
+           ;
+
 EOF
     fi
 fi
Comment 2 Bill Nottingham 2005-02-03 19:46:53 UTC 
Did you try the test update?
Comment 3 Tyler Larson 2005-02-11 20:16:42 UTC 
Yes. Sorry about not seeing that earlier. It does fix this bug, but
doesn't fix #140654. Sorry to keep harping on this, but fixing this
bug doesn't help much as long as that one remains unresolved:
ifup-ipsec in tunnel mode is still doesn't work.
Comment 4 Christopher Johnson 2005-02-18 02:09:21 UTC 
Of course what is done in ifup should be undone in ifdown.  initscripts-7.93.6-1
adds fwd policies but does not remove them.  Suggested patch:
--- ifdown-ipsec.orig   2005-02-17 20:34:42.222228512 -0500
+++ ifdown-ipsec        2005-02-17 20:51:49.242922534 -0500
@@ -57,6 +57,7 @@
        setkey -c << EOF
        spddelete $SRC $DST any -P out;
        spddelete $DST $SRC any -P in;
+       spddelete $DST $SRC any -P fwd;
 EOF
 else
       [ -z "$SRCNET" ] && SRCNET="$SRC/32"
@@ -67,6 +68,7 @@
       /sbin/setkey -c >/dev/null 2>&1 << EOF
        spddelete $SRCNET $DSTNET any -P out;
        spddelete $DSTNET $SRCNET any -P in;
+       spddelete $DSTNET $SRCNET any -P fwd;
 EOF
 fi
Comment 5 Bill Nottingham 2005-02-18 21:57:03 UTC 
Added in CVS.
Comment 6 Bill Nottingham 2005-03-07 20:06:13 UTC 
Closing this one for now; the ifup-ipsec/ifdown-ipsec changes are
obviated with the ipsec-tools update.