Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 158245

Summary: Making AH optional for IPSec
Product: Red Hat Enterprise Linux 4 Reporter: Aleksandar Milivojevic <alex>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED DUPLICATE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: rvokal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-19 16:26:27 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
one way to do it none

Description Aleksandar Milivojevic 2005-05-19 16:18:37 EDT
Description of problem:
Hi Bill,

While solving some problems I had with IPSec, and looking around how other
people sovled them, I realized that many folks choose to use ESP only (no AH)
when building tunnels.  Also, according to IPSec HOWTO
(http://www.ipsec-howto.org/), AH is incompatible with NAT-traversal (only ESP
can be used with it).  Since ESP can also provide for packet authentication,
using AH should be configuration option.  Implementing this option could be a
step to having option for NAT-traversal in the future.

I've included a patch against initscripts 7.93.11 (ifup and ifdown).  Not tested
yet, just to show general idea.  The patch is simple, couple of if statments and
duplication of code.

If you find this option to be worth inclusion into the initscripts, I'll do the
testing, and resubmit patch (if needed).  I could also work on a bit more
complicated version of patch.  Basically, it would build "setkey" script in
temporary directory, and than execute it.  The code would look something like this:

cat > /tmp/blahblah <<EOF
#! /usr/sbin/setkey -f

blah blah

if [ -n "$USE_AH" ]; then
  cat >> /tmp/blahblah <<EOF
more blah blah

chmod 755 /tmp/blahblah
rm -f /tmp/blahblah

Or something similar to the above.  That would make ifup/ifdown-ipsec scripts
more managable as features are added in the future (no duplication of code).

So basically, let me know what you think about it...

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Aleksandar Milivojevic 2005-05-19 16:18:37 EDT
Created attachment 114591 [details]
one way to do it
Comment 2 Bill Nottingham 2005-05-19 16:26:27 EDT

*** This bug has been marked as a duplicate of 122452 ***