116922 – ifup-ipsec fixes for IPSec

Bug 116922 - ifup-ipsec fixes for IPSec

Summary: ifup-ipsec fixes for IPSec

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Raw Hide
Classification:	Retired
Component:	initscripts
Sub Component:
Version:	1.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:	Brock Organ
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-02-26 14:27 UTC by Felipe Alfaro Solana
Modified:	2014-03-17 02:42 UTC (History)
CC List:	1 user (show)
Fixed In Version:	7.47-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-03-16 23:49:52 UTC
Embargoed:

Attachments	(Terms of Use)
fix ifup-ipsec to allow for ESP-only IPSec links (1.71 KB, patch) 2004-02-26 14:28 UTC, Felipe Alfaro Solana	no flags	Details \| Diff
sample interface configuration file (205 bytes, text/plain) 2004-02-26 14:29 UTC, Felipe Alfaro Solana	no flags	Details
View All

Description Felipe Alfaro Solana 2004-02-26 14:27:16 UTC

Description of problem: 
----------------------- 
ifup-ipsec has problems when trying to create the corresponding SA 
and SPD entries for an IPSec link if no AH SPI identifier has been 
defined in the interface configuration file. 
 
Look at the following lines of ifup-ipsec: 
 
   /sbin/setkey -c  >/dev/null 2>&1<< EOF 
delete $SRC $DST ah $SPI_AH_OUT; 
delete $DST $SRC ah $SPI_AH_IN; 
 
The "delete" setkey command requires exactly four arguments: the 
source IP, destination IP, the protocol (ESP or AH) and the SPI 
identifier. However, if the interface configuration file 
(ifcfg-ipsec0, for example) does not define SPI_AH_IN and/or 
SPI_AH_OUT, the above "delete" command will supply only three 
arguments, causing setkey to stop processing the input and exit with 
an error code: 
 
   line <whatever>: parse error at [;] 
   parse failed, line <whatever>. 
 
The solution is to replace those lines with: 
 
   /sbin/setkey -c  >/dev/null 2>&1<< EOF 
${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} 
${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} 
 
Attached to this bug report you will find a patch that fixes up 
ifup-ipsec to allow for tunnel and transport IPSec links, even when 
no AH authentication is used (SPI_AH* is not defined). 
 
Additionally, both the ESP and AH keys must NOT be enclosed in 
quotes. Doing so, makes setkey complain that the key length is 
invalid. 
 
Version-Release number of selected component (if applicable): 
initscripts-7.46-1.1 
 
How reproducible: 
Always 
 
Steps to Reproduce: 
1. Copy the attached ifup-ipsec0 to /etc/sysconfig/network-scripts 
2. Run ifup ipsec0 
3. setkey -D and setkey -D -P will reveal that no SA and SPD entries 
have been created. 
   
Actual results: 
ifup-ipsec fails when the AH protocol is not being used. 
 
Expected results: 
ifup-ipsec MUST work even when the AH protocol is not used (that is, 
when no AH SPI is specified). 
 
Additional info: 
I have attached a patch to fix ifup-ipsec. 
I have also attached the ifcfg-ipsec0 file I'm using to configure a 
transport mode IPSec link between two hosts.

Comment 1 Felipe Alfaro Solana 2004-02-26 14:28:14 UTC

Created attachment 98071 [details]
fix ifup-ipsec to allow for ESP-only IPSec links

Comment 2 Felipe Alfaro Solana 2004-02-26 14:29:08 UTC

Created attachment 98072 [details]
sample interface configuration file

This is the sample IPSec interface configuration file I'm using to test
ESP-only (no AH protocol) IPSec links.

Comment 3 Bill Nottingham 2004-03-16 23:49:52 UTC

Added in CVS, will be in 7.47-1. Didn't add the last bit; I'm pretty
sure those quotes are necessary.

Note You need to log in before you can comment on or make changes to this bug.