Bug 166257
Summary: | ipsec VPN problems caused by some code in ifup-ipsec | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tarhon-Onu Victor <lsmituc> | ||||
Component: | initscripts | Assignee: | Bill Nottingham <notting> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | bilias, cch1, denis, rvokal | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 8.34-1 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-05-23 19:19:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 150221 | ||||||
Attachments: |
|
Description
Tarhon-Onu Victor
2005-08-18 12:28:41 UTC
Created attachment 117866 [details]
A quick fix that works
This is a patch for ifup-ipsec that also add checking for
$KEY_{AH,ESP}_{IN,OUT} against null values.
Furthermore, there is no support for NAT traversal. Not to hard to add, though. First, automatic keying is implied with NAT -only really an issue for the GUI. Second, the "nat_traversal on" statement must be included in the generated racoon file (trivial). Third, the policy requirement for AH must be removed -by testing for the presence of AH_KEY_IN/OUT just like in the manual keying section. I would think a variable like NAT=YES in ipsec-<my config> would be a good approach. -Chris Should be fixed in 8.34-1. Hi all, I think this is a good place to comment: initscripts-9.02.1-1.i686 Fedora 12 NAT support is not there yet. We have to add manually in ifup-ipsec nat_traversal on; Disabling AH is more easy by adding AH_PROTO=none in ifcfg-ipsecX file. best regards, Giannis |