Bug 113095 - Kernel is missing crypto modules
Kernel is missing crypto modules
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
3.0
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-08 09:57 EST by Erwin Paternotte
Modified: 2014-03-16 22:41 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-20 16:30:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erwin Paternotte 2004-01-08 09:57:43 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5)
Gecko/20031007

Description of problem:
When enabling an IPsec connection at boot time (With the ONBOOT-yes
option), the kernel can't load all modules related to IPsec. The
following modules can't be loaded:

ripemd160
cast128
lzs
lzjh

Also as a logical side effect the IPsec connection won't work. The
strange thing is that if i start an IPsec connection by hand with the
ifup ipsec0 command it is working fine.

Another side note is that I noticed that when I change the
ifcfg-ipsec0 TYPE parameter to IPsec (first 2 letters uppercase, last
3 letters lowercase) I don't get any error messages at boot time. But
the IPsec connection is still not working. It might be somehow related
to another bug I filed, but I can't figure out how. See for more
details: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=113090 

Version-Release number of selected component (if applicable):
kernel-2.4.21-4.0.2.EL

How reproducible:
Always

Steps to Reproduce:
1. Create an IPsec connection as described in section 6.11 of the
Security Guide, but use: TYPE=IPSEC (all uppercase). Also set the
ONBOOT option to yes.
2. Reboot the system and watch the boot messages closely.    

Actual Results:  During boot time after the message "Bringing up
interface ipsec0" is displayed, the following error messages are
displayed:

modprobe: modprobe: Can't locate module ripemd160
modprobe: modprobe: Can't locate module cast128
modprobe: modprobe: Can't locate module lzs
modprobe: modprobe: Can't locate module lzjh

Expected Results:  No error messages and a working IPsec connection
after boot time.

Additional info:
Comment 1 James Morris 2004-01-08 10:12:10 EST
These modules do not exist, although you can get cast128 by using the
module 'cast5'.
Comment 2 Erwin Paternotte 2004-01-08 10:23:55 EST
Thank you for your fast reply.

I already noticed those modules are not available, but the problem is
that these errors are preventing me from starting an IPsec connection
at boot time.

Since an IPsec connection can be started by hand I assume those
modules are not really necessary for IPsec to function correctly (I'm
using 3des a encryption for my IPsec connection).

I searched what is loading those modules (/etc/modules.conf,
/etc/sysconfig/network-scripts/network-functions, /sbin/ifup), but I
couldn't find anything and I really need to make an automatic IPsec
connection at boot time.
Comment 3 Erwin Paternotte 2004-01-16 09:49:37 EST
After some more testing I must come to the conclusion that manual
staring the IPsec connection is also not working anymore :( I triple
checked every setting, but it is simple not working. In the
/var/log/messages I see the same module errors as already described above.

I am wondering what the status of this bug is and if there was still
somebody working on it within Red Hat? It's been deadly quiet after
the first reply. I additional testing/information is needed please let
me know.

Regards,

Erwin
Comment 5 James Morris 2004-02-12 19:21:01 EST
I don't see how the lack of these modules can be preventing IPSec from
working, and suggest that this is a configuration issue rather than a bug.
Comment 6 Erwin Paternotte 2004-02-20 03:42:31 EST
Hi,

I checked my configuration again (3th time) and I followed the
instructions in the Red Hat documentation literally. I have used two
test systems with clean Red Hat Enterprise installations on both. It
is still not working.

When I've setup the tunnel with the command "ifup ipsec0" and I try to
ping the other system I get the following error:
connect: No such process
This is on both systems

So either there is something wrong with the Red Hat documentation (as
I suggested earlier) or there is something wrong with ipsec rpm or
kernel. The error messages I'm seeing in the logfiles might be
unrelated to this problem, but it is the only error message I'm seeing
related to ipsec.

I am actually wondering if you tested an ipsec tunnel between two
machines yourself? If so, I would like to receive your configuration
files, so I can test with the exact same configuration.

If you need any more information, let me know.

Regards,
Erwin
Comment 10 Ernie Petrides 2004-06-28 23:26:05 EDT
I'm reassigning this to owner of ipsec-tools.  -ernie
Comment 11 Bill Nottingham 2004-06-28 23:45:57 EDT
Please attach all your config files.
Comment 12 Erwin Paternotte 2004-07-02 10:00:09 EDT
Finally, I sign of life ;)

I had to pull the config files from a backup since I reused the test
machines after getting tired of waiting for an answer. Still I would
like to have a solution for this problem since it is still blocking
our migration to Red Hat Enterprise.

I followed the steps described in the Red Hat security manual:
https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-guide/s1-ipsec-host2host.html

I only created ifcfg-ipsec0 and and keys-ipsec0 as described. Here
they are:

------------- ifcfg-ipsec0-----------------
DST=10.0.2.3
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
--------------------------------------------

--------------keys-ipsec0-------------------
IKE_PSK=artemis
--------------------------------------------

Regards,
Erwin
Comment 13 Bill Nottingham 2005-03-11 18:01:34 EST
Apologies for the lack of response. A configuration such as this
*should* be working fine.

I'm assuming the other side has the same configuration, with DST swapped.

Did you get any messages from racoon in syslog - is racoon running?
Comment 14 Stephen Cuppett 2005-05-23 14:45:01 EDT
There are missing things in the kernel.  Using the openswan keying daemon, I get
the following:

[root@ns4 init.d]# ./ipsec start
ipsec_setup: Starting Openswan IPsec 2.3.1...
ipsec_setup: modprobe: Can't locate module ipsec
ipsec_setup: /sbin/insmod /lib/modules/2.4.21-32.ELsmp/kernel/net/key/af_key.o
ipsec_setup: Using /lib/modules/2.4.21-32.ELsmp/kernel/net/key/af_key.o
ipsec_setup: Symbol version prefix 'smp_'
ipsec_setup: modprobe: Can't locate module xfrm4_tunnel
ipsec_setup: modprobe: Can't locate module xfrm_user
ipsec_setup: modprobe: Can't locate module sha1
ipsec_setup: modprobe: Can't locate module md5
ipsec_setup: modprobe: Can't locate module des
[root@ns4 init.d]# rpm -q | grep 'ipsec-tools'
rpmq: no arguments given for query
[root@ns4 init.d]# rpm -q 'ipsec-tools'
ipsec-tools-0.2.5-0.7
[root@ns4 init.d]# uname -r
2.4.21-32.ELsmp

I've stopped and started it a couple times, there are more that it DID find, but
the others it will error on every time.  This is preventing a tunnel between
Fedora Core 3 and RHEL3 from coming up both with a mirrored config and openswan
2.3.1.
Comment 15 Bill Nottingham 2005-05-23 15:08:14 EDT
ipsec_setup: modprobe: Can't locate module ipsec

That's just a broken script for that module - that's not an error.

Are you sure it's the modules that are preventing the connection as opposed to
other configuration details? Note that there are differences in how ipsec-tools
and openswan handle, for example, aggressive mode, that could also cause problems.
Comment 16 Stephen Cuppett 2005-05-23 15:47:39 EDT
The ones I'm more concerned about that seem to get loaded correctly are:

ipsec_setup: modprobe: Can't locate module xfrm4_tunnel
ipsec_setup: modprobe: Can't locate module md5

Are those provided by some other module than what they are on Fedora Core 3?

The ipsec module will fail to load on any platform using netkey as opposed to a
custom built KLIPS module
Comment 17 Bill Nottingham 2005-05-23 15:52:51 EDT
I believe they both end up built-in (md5 and xfrm).
Comment 18 Bill Nottingham 2005-09-20 16:30:08 EDT
Closing this bug. These messages aren't a symptom of an error; the layer is
simply asking for every crypto algorithm it knows about, and some of them are
built-in, or not supported.
Comment 19 Vladi Kolici 2006-01-19 11:40:24 EST
(In reply to comment #2)
> Thank you for your fast reply.
> I already noticed those modules are not available, but the problem is
> that these errors are preventing me from starting an IPsec connection
> at boot time.
> Since an IPsec connection can be started by hand I assume those
> modules are not really necessary for IPsec to function correctly (I'm
> using 3des a encryption for my IPsec connection).
> I searched what is loading those modules (/etc/modules.conf,
> /etc/sysconfig/network-scripts/network-functions, /sbin/ifup), but I
> couldn't find anything and I really need to make an automatic IPsec
> connection at boot time.

Comment 20 Vladi Kolici 2006-01-20 04:16:54 EST
Hi all, 

I have the same problem with establishing a succesfull IPSEC net to net with 
redhat enterprice 3 , and I have the same problem, at the boot time the IPSEC 
can't load its modules:

ipsec_setup: modprobe: Can't locate module xfrm4_tunnel
ipsec_setup: modprobe: Can't locate module xfrm_user
ipsec_setup: modprobe: Can't locate module sha1
ipsec_setup: modprobe: Can't locate module md5
ipsec_setup: modprobe: Can't locate module des

Do you have any idea how too fix this problem ?

Ladi

(In reply to comment #19)
> (In reply to comment #2)
> > Thank you for your fast reply.
> > I already noticed those modules are not available, but the problem is
> > that these errors are preventing me from starting an IPsec connection
> > at boot time.
> > Since an IPsec connection can be started by hand I assume those
> > modules are not really necessary for IPsec to function correctly (I'm
> > using 3des a encryption for my IPsec connection).
> > I searched what is loading those modules (/etc/modules.conf,
> > /etc/sysconfig/network-scripts/network-functions, /sbin/ifup), but I
> > couldn't find anything and I really need to make an automatic IPsec
> > connection at boot time.

Comment 21 Vladi Kolici 2006-01-20 04:39:23 EST
Hi all, 

I have the same problem with establishing a succesfull IPSEC net to net with 
redhat enterprice 3 , and I have the same problem, at the boot time the IPSEC 
can't load its modules:

ipsec_setup: modprobe: Can't locate module xfrm4_tunnel
ipsec_setup: modprobe: Can't locate module xfrm_user
ipsec_setup: modprobe: Can't locate module sha1
ipsec_setup: modprobe: Can't locate module md5
ipsec_setup: modprobe: Can't locate module des

Do you have any idea how too fix this problem ?

Ladi

(In reply to comment #19)
> (In reply to comment #2)
> > Thank you for your fast reply.
> > I already noticed those modules are not available, but the problem is
> > that these errors are preventing me from starting an IPsec connection
> > at boot time.
> > Since an IPsec connection can be started by hand I assume those
> > modules are not really necessary for IPsec to function correctly (I'm
> > using 3des a encryption for my IPsec connection).
> > I searched what is loading those modules (/etc/modules.conf,
> > /etc/sysconfig/network-scripts/network-functions, /sbin/ifup), but I
> > couldn't find anything and I really need to make an automatic IPsec
> > connection at boot time.

Comment 22 Vladi Kolici 2006-01-20 07:38:21 EST
Hi all, 

I have the same problem with establishing a succesfull IPSEC net to net with 
redhat enterprice 3 , and I have the same problem, at the boot time the IPSEC 
can't load its modules:

ipsec_setup: modprobe: Can't locate module xfrm4_tunnel
ipsec_setup: modprobe: Can't locate module xfrm_user
ipsec_setup: modprobe: Can't locate module sha1
ipsec_setup: modprobe: Can't locate module md5
ipsec_setup: modprobe: Can't locate module des

Do you have any idea how too fix this problem ?

Ladi

(In reply to comment #19)
> (In reply to comment #2)
> > Thank you for your fast reply.
> > I already noticed those modules are not available, but the problem is
> > that these errors are preventing me from starting an IPsec connection
> > at boot time.
> > Since an IPsec connection can be started by hand I assume those
> > modules are not really necessary for IPsec to function correctly (I'm
> > using 3des a encryption for my IPsec connection).
> > I searched what is loading those modules (/etc/modules.conf,
> > /etc/sysconfig/network-scripts/network-functions, /sbin/ifup), but I
> > couldn't find anything and I really need to make an automatic IPsec
> > connection at boot time.


Note You need to log in before you can comment on or make changes to this bug.