Bug 166257
| Summary: | ipsec VPN problems caused by some code in ifup-ipsec | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tarhon-Onu Victor <lsmituc> | ||||
| Component: | initscripts | Assignee: | Bill Nottingham <notting> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | bilias, cch1, denis, rvokal | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 8.34-1 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-05-23 19:19:12 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 150221 | ||||||
| Attachments: |
|
||||||
Created attachment 117866 [details]
A quick fix that works
This is a patch for ifup-ipsec that also add checking for
$KEY_{AH,ESP}_{IN,OUT} against null values.
Furthermore, there is no support for NAT traversal. Not to hard to add, though. First, automatic keying is implied with NAT -only really an issue for the GUI. Second, the "nat_traversal on" statement must be included in the generated racoon file (trivial). Third, the policy requirement for AH must be removed -by testing for the presence of AH_KEY_IN/OUT just like in the manual keying section. I would think a variable like NAT=YES in ipsec-<my config> would be a good approach. -Chris Should be fixed in 8.34-1. Hi all, I think this is a good place to comment: initscripts-9.02.1-1.i686 Fedora 12 NAT support is not there yet. We have to add manually in ifup-ipsec nat_traversal on; Disabling AH is more easy by adding AH_PROTO=none in ifcfg-ipsecX file. best regards, Giannis |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1 Description of problem: There are some problems getting up an IPSec VPN because of the following lines in ifup-ipsec: == cut here == [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\" [ "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] && KEY_AH_OUT=\"$KEY_AH_OUT\" [ "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] && KEY_ESP_IN=\"$KEY_ESP_IN\" [ "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] && KEY_ESP_OUT=\"$KEY_ESP_OUT\" == and here == Me I use ESP protocol, not AH, so the lines concerning any AH setting (keys, encription protocols, etc is left blank. But, somewhere below these lines, in ifup-ipsec, there are lines like the following: == cut here == # AH ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} == and here == So if the variables KEY_AH_{IN,OUT} are set ok we add the right lines in the output we send to setkey. But if, say, KEY_AH_IN is null (or does not begin with "0x") then: [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\" ...and $KEY_AH_IN is now set to '""' causing the following output to be sent to setkey: == cut here == # AH add $DST $SRC ah $SPI_AH_IN -A AH_PROTO_IN ""; add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT ""; == and here == Of course, setkey will exit due to syntax errors and will fail to set the security policies which follow. Version-Release number of selected component (if applicable): initscripts-8.11.1-1 (FC4, current fedora core devel) How reproducible: Always Steps to Reproduce: 1. Configure a ipsec tunnel in /etc/sysconfig/network-scripts/ifcfg-ipsec0 using one of the AH os ESP protocols; 2. run ifup ipsec0 as root; 3. run setkey -DP and notice that no policies are set. Actual Results: setkey exists prematurely doe to syntax errors caused by missevaluation of some variables. Expected Results: The output: == cut here == # AH add $DST $SRC ah $SPI_AH_IN -A AH_PROTO_IN ""; add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT ""; == and here == should never be generated (in out particular example) and setkey will finish its job. Additional info: The way how the variables $KEY_ are evaluated has to be changed. These variables have to be hex strings (begining with 0x) or double quoted character strings and the tests do check this but also a not-null test should be performed. I also modified a version of ifup-ipsec to write in a file (/tmp/ipsecvpn.setkey) everything it sends to setkey and it's available <a href="ftp://blackblue.iasi.rdsnet.ro/pub/various/i/ifup-ipsec-debug">here</a>.