Bug 168972

Summary: IPSec initscript ESP/AH issues
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: alex, denis, mitr, rvokal, sean
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.36-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-21 18:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 122452    
Bug Blocks: 150221    

Description Bill Nottingham 2005-09-21 19:18:12 UTC 
+++ This bug was initially created as a clone of Bug #122452 +++

Description of problem:

The IPSec VPN functionality within the Red Hat Linux ES distribution 
doesn't allow the configuration of VPN tunnels using ESP _or_ AH. It 
automatically creates a policy for both ESP and AH. Certain VPN 
servers like Netscreen and many others will accept either ESP or AH, 
but not both.

In order to create a "lan to lan" VPN between a netscreen VPN server 
and a Red Hat Linux ES server the following changes had to be made:

line 196 - 208 of /etc/sysconfig/network-scripts/ifup-ipsec contains 
the following:
=============================================
      /sbin/setkey -c >/dev/null 2>&1 << EOF        
spddelete $SRCNET $DSTNET any -P out;             
spddelete $DSTNET $SRCNET any -P in;             
                                                      
spdadd $SRCNET $DSTNET any -P out ipsec     
            esp/tunnel/$SRC-$DST/require                             
            ah/tunnel/$SRC-$DST/require                  
            ;                              
                                                                      
                    
spdadd $DSTNET $SRCNET any -P in ipsec                    
            esp/tunnel/$DST-$SRC/require                    
            ah/tunnel/$DST-$SRC/require                     
            ;
=============================================

Make the follwing change to the above section (Lan2Lan):
=============================================
      /sbin/setkey -c >/dev/null 2>&1 << EOF        
spddelete $SRCNET $DSTNET any -P out;             
spddelete $DSTNET $SRCNET any -P in;             
                                                      
spdadd $SRCNET $DSTNET any -P out ipsec     
            esp/tunnel/$SRC-$DST/require               
            ;                              
                                                                      
                    
spdadd $DSTNET $SRCNET any -P in ipsec                    
            esp/tunnel/$DST-$SRC/require
            ;
=============================================


The above file changes will only affect "LAN to LAN" VPN's as there 
are configuration directives for both "Host to Host" VPN's as well. 
The following question could propose the way forward:

Is it possible that there should be a setting in the ifcfg-
{interface} file that specifies weather or not ESP and AH should be 
used?

i.e.

ESP=yes
AH=yes






Version-Release number of selected component (if applicable):
initscripts-7.31.9.EL-1


How reproducible:
Every time



Steps to Reproduce:
1. Create VPN between Red Hat Enterprise Linux ES and a hardware VPN 
device or any other VPN server.

  
Actual results:
Tunnels don't come up

Expected results:
Tunnels should come up

Additional info:
This is also a problem on Fedora Core 2 test3

-- Additional comment from splaice on 2004-11-12 22:16 EST --
I ran into this same problem expect both end points for my vpn's are
FC2 boxes. Updating ifup-ipsec not to add the AH entries to the SPD
resolved the problem.

Configuration:
two FC2 boxes, IKE=PSK, Network-to-Network tunnel.

-- Additional comment from alex on 2005-05-20 15:42 EST --
Created an attachment (id=114650)
Make AH and ESP optional

I've found couple of problems with the previous patch.
 - manual keying was buggy
 - only ESP encryption with manual keying was possible (no auth)
 - couple of things cleaned
 - couple of typos fixed

This verion of patch will allow encryption+auth with ESP.  If KEY_AESP variable
is set (or separate keys for IN and OUT like all other keys), authentication
keys for ESP will be added when maunal keying is used.	If both AH and ESP are
used, authentication keys for ESP will be different than those for AH (for
those that like to do things twice).

This patch is against initscripts 7.93.11.  To make it fully work, at least
route fix from bug #146169 should also be added to the script.	Optionally, fix
for overlapping networks might also be needed in some cases (bug #150862).  It
should be fairly trivial to incorporate those two fixes into this patch.

Also, I'm using ipsec-tools 0.5 (from http://people.redhat.com/notting/ipsec/).
 Seems that new version of racoon wants certificate type to be specified in
peers_certfile command.  Added it into the patch (I don't know if old racoon
allows x509 keyword on peers_certfile line, but the new one requires it).  This
change in configuration file syntax is not documented in the manual page, Bill
might want to update it.

What else...  Hm, nothing I could remember right now...  I'm on vacation next
week, so I guess I will not bombard you with updated versions of the patch ;-)

-- Additional comment from alex on 2005-05-20 16:25 EST --
Created an attachment (id=114653)
AH/ESP option + route + overlapping networks patch

This is what I actually use currently.	It has fixes for routes and overlapping
networks included (well, Bill doesn't really like this approach for overlapping
networks, but it is easy to change to whatever will be final solution).
Comment 1 Aleksandar Milivojevic 2005-09-21 19:57:00 UTC 
Bill Nottingham wrote:
> Is it possible that there should be a setting in the ifcfg-
> {interface} file that specifies weather or not ESP and AH should be
> used?

Of course it is.  I sent a patch months ago that does exactly that (I believe it
was against RHEL4 and clones).  It allows the use of either AH, or ESP, or both.
 It also cleans up ifup-ipsec and ifdown-ipsec considerably by using conditional
variable substitutions (the old scripts used them too, but not everywhere they
could be used, resulting (if I remember correctly) in some duplicated code that
started showing first signs of inconsistencies).

I do remember that it worked very nicely with small Linksys VPN routers on the
other end (they support either AH or ESP, but not both), however I haven't been
using it lately.  Lately I was mostly doing Linux-to-linux VPNs, and because of
the bugs in Netfilter moved to IPSec over GRE approach (with complete new set of
scripts).  I liked having interfaces I can route to so much, I'm using that
approach wherever possible.  The 2.6 kernel's hidden/implicit IPSec routing
simply sucks.  Complicates things too much without any real benefit.  If anybody
is interested, I might even start working on a version of patch that would also
allow one to configure GRE and/or IPSec over GRE in ifcfg-* files, which could
possibly add hole new area of interoperability with big Cisco routers ;-)
Comment 2 Aleksandar Milivojevic 2005-09-21 20:17:17 UTC 
Ah, I just realized the above was not was Notting wrote, it was from original
bug report.  Ah, shame on me, and so on, and so forth O:-)

Anyhow, I believe the change is small enough to be incorporated as patch against
EL4 and recent Fedora releases.  Don't see why EL3 would be show stopper for EL4.
Comment 3 Miloslav Trmač 2006-07-09 00:05:47 UTC 
Fixed in CVS. Thanks for the patch!
Comment 4 Bill Nottingham 2006-07-21 18:29:39 UTC 
Built as 8.36-1.