Bug 116922 - ifup-ipsec fixes for IPSec
ifup-ipsec fixes for IPSec
Product: Red Hat Raw Hide
Classification: Retired
Component: initscripts (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: Patch
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
Reported: 2004-02-26 09:27 EST by Felipe Alfaro Solana
Modified: 2014-03-16 22:42 EDT (History)
1 user (show)

See Also:
Fixed In Version: 7.47-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-03-16 18:49:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
fix ifup-ipsec to allow for ESP-only IPSec links (1.71 KB, patch)
2004-02-26 09:28 EST, Felipe Alfaro Solana
no flags Details | Diff
sample interface configuration file (205 bytes, text/plain)
2004-02-26 09:29 EST, Felipe Alfaro Solana
no flags Details

  None (edit)
Description Felipe Alfaro Solana 2004-02-26 09:27:16 EST
Description of problem: 
ifup-ipsec has problems when trying to create the corresponding SA 
and SPD entries for an IPSec link if no AH SPI identifier has been 
defined in the interface configuration file. 
Look at the following lines of ifup-ipsec: 
   /sbin/setkey -c  >/dev/null 2>&1<< EOF 
delete $SRC $DST ah $SPI_AH_OUT; 
delete $DST $SRC ah $SPI_AH_IN; 
The "delete" setkey command requires exactly four arguments: the 
source IP, destination IP, the protocol (ESP or AH) and the SPI 
identifier. However, if the interface configuration file 
(ifcfg-ipsec0, for example) does not define SPI_AH_IN and/or 
SPI_AH_OUT, the above "delete" command will supply only three 
arguments, causing setkey to stop processing the input and exit with 
an error code: 
   line <whatever>: parse error at [;] 
   parse failed, line <whatever>. 
The solution is to replace those lines with: 
   /sbin/setkey -c  >/dev/null 2>&1<< EOF 
${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} 
${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} 
Attached to this bug report you will find a patch that fixes up 
ifup-ipsec to allow for tunnel and transport IPSec links, even when 
no AH authentication is used (SPI_AH* is not defined). 
Additionally, both the ESP and AH keys must NOT be enclosed in 
quotes. Doing so, makes setkey complain that the key length is 
Version-Release number of selected component (if applicable): 
How reproducible: 
Steps to Reproduce: 
1. Copy the attached ifup-ipsec0 to /etc/sysconfig/network-scripts 
2. Run ifup ipsec0 
3. setkey -D and setkey -D -P will reveal that no SA and SPD entries 
have been created. 
Actual results: 
ifup-ipsec fails when the AH protocol is not being used. 
Expected results: 
ifup-ipsec MUST work even when the AH protocol is not used (that is, 
when no AH SPI is specified). 
Additional info: 
I have attached a patch to fix ifup-ipsec. 
I have also attached the ifcfg-ipsec0 file I'm using to configure a 
transport mode IPSec link between two hosts.
Comment 1 Felipe Alfaro Solana 2004-02-26 09:28:14 EST
Created attachment 98071 [details]
fix ifup-ipsec to allow for ESP-only IPSec links
Comment 2 Felipe Alfaro Solana 2004-02-26 09:29:08 EST
Created attachment 98072 [details]
sample interface configuration file

This is the sample IPSec interface configuration file I'm using to test
ESP-only (no AH protocol) IPSec links.
Comment 3 Bill Nottingham 2004-03-16 18:49:52 EST
Added in CVS, will be in 7.47-1. Didn't add the last bit; I'm pretty
sure those quotes are necessary.

Note You need to log in before you can comment on or make changes to this bug.