Bug 110723 - Will dhcrelay work through IPSEC in FC2?
Will dhcrelay work through IPSEC in FC2?
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
1
i586 Linux
low Severity low
: ---
: ---
Assigned To: Jason Vas Dias
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-24 04:42 EST by Stefan Christians
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-15 19:26:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
enable dhcrelay to function when running on endpoint of ipsec tunnel (400 bytes, patch)
2004-03-27 13:43 EST, Stefan Christians
no flags Details | Diff
enable dhcrelay to function when running on endpoint of ipsec tunnel (400 bytes, patch)
2004-03-27 13:45 EST, Stefan Christians
no flags Details | Diff

  None (edit)
Description Stefan Christians 2003-11-24 04:42:17 EST
We would like to ask the dhcp package maintainers to keep in mind
following problems when dhcp is re-packaged for Fedora Core 2 with 2.6
kernel.

Description of problem:
If the dhc relay agent is running on the machine which functions as
VPN-gateway using IPSEC, it can not contact the dhcp server.

Version-Release number of selected component (if applicable):
dhcp-3.0pl1-9
FreeS/wan 1.99
on RHL8

How reproducible:
always

Steps to Reproduce:
either
1. reboot the machine with dhcrelay and ipsec chkconfigged on
or
1. service ipsec start
2. and then immidiately service dhcrelay start
  
Actual results:
dhcrelay can not contact the dhcp server through the virtual ipsec
interface.

Expected results:
dhcrelay should relay dhcp information

Additional info:

1) We had to change the startup priority in dhcrelay's init script to
98. There seems to be a time lag between when the ipsec service has
started and when the virtual interface becomes available. 

2) We had to recompile dhcrelay with USE_SOCKETS defined in
includes/sites.h for dhcrelay to work over the virtual ipsec interface.

Not sure whether this will still be an issue with ipsec integrated in
the 2.6 kernel, so we just want to make this "pre-emptive" bug report
to ensure that dhcrelay will work out of the box when fc2 is released.
Comment 1 Daniel Walsh 2004-03-25 14:00:27 EST
Have you checked this on FC2?
Comment 2 Stefan Christians 2004-03-27 13:43:32 EST
Created attachment 98901 [details]
enable dhcrelay to function when running on endpoint of ipsec tunnel

Just finnished checking it on FC2 Test1:

1) startup priority
Setkey does not create a virtual interface, so the physical interfaces dhcrelay
listens on all already exist at the current startup priority.
No need to change anything

2) define USE_SOCKETS
Still, if USE_SOCKETS is not defined in includes/site.h, dhcrelay will not work
through ipsec if it is on the vpn gateway itself.
Looking at the IP-traffic, dhcrelay contacts the dhcp server and gets the
response back, but does not forward it to the client.

A patch for defining USE_SOCKETS is attached.
However, the description of this function sounds a little bit scary, and I have
no none-redhat clients available to test it with other dhcp clients.
Comment 3 Stefan Christians 2004-03-27 13:45:22 EST
Created attachment 98902 [details]
enable dhcrelay to function when running on endpoint of ipsec tunnel

Just finnished checking it on FC2 Test1:

1) startup priority
Setkey does not create a virtual interface, so the physical interfaces dhcrelay
listens on all already exist at the current startup priority.
No need to change anything

2) define USE_SOCKETS
Still, if USE_SOCKETS is not defined in includes/site.h, dhcrelay will not work
through ipsec if it is on the vpn gateway itself.
Looking at the IP-traffic, dhcrelay contacts the dhcp server and gets the
response back, but does not forward it to the client.

A patch for defining USE_SOCKETS is attached.
However, the description of this function sounds a little bit scary, and I have
no none-redhat clients available to test it with other dhcp clients.
Comment 4 Jason Vas Dias 2005-06-03 12:41:07 EDT
Sorry for the delay in processing this bug - it somehow slipped
through the cracks.

Is this still an issue with FC-3/4 2.6+ kernel ipsec support ?

I am investigating . 
Comment 5 Jason Vas Dias 2006-03-15 19:26:26 EST
No, dhcp currently will NOT work with USE_SOCKETS - for many reasons.
This is being worked on upstream at the ISC.

Note You need to log in before you can comment on or make changes to this bug.