Bug 168972
Summary: | IPSec initscript ESP/AH issues | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill Nottingham <notting> |
Component: | initscripts | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | alex, denis, mitr, rvokal, sean |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 8.36-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-07-21 18:29:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 122452 | ||
Bug Blocks: | 150221 |
Description
Bill Nottingham
2005-09-21 19:18:12 UTC
Bill Nottingham wrote:
> Is it possible that there should be a setting in the ifcfg-
> {interface} file that specifies weather or not ESP and AH should be
> used?
Of course it is. I sent a patch months ago that does exactly that (I believe it
was against RHEL4 and clones). It allows the use of either AH, or ESP, or both.
It also cleans up ifup-ipsec and ifdown-ipsec considerably by using conditional
variable substitutions (the old scripts used them too, but not everywhere they
could be used, resulting (if I remember correctly) in some duplicated code that
started showing first signs of inconsistencies).
I do remember that it worked very nicely with small Linksys VPN routers on the
other end (they support either AH or ESP, but not both), however I haven't been
using it lately. Lately I was mostly doing Linux-to-linux VPNs, and because of
the bugs in Netfilter moved to IPSec over GRE approach (with complete new set of
scripts). I liked having interfaces I can route to so much, I'm using that
approach wherever possible. The 2.6 kernel's hidden/implicit IPSec routing
simply sucks. Complicates things too much without any real benefit. If anybody
is interested, I might even start working on a version of patch that would also
allow one to configure GRE and/or IPSec over GRE in ifcfg-* files, which could
possibly add hole new area of interoperability with big Cisco routers ;-)
Ah, I just realized the above was not was Notting wrote, it was from original bug report. Ah, shame on me, and so on, and so forth O:-) Anyhow, I believe the change is small enough to be incorporated as patch against EL4 and recent Fedora releases. Don't see why EL3 would be show stopper for EL4. Fixed in CVS. Thanks for the patch! Built as 8.36-1. |