Description of problem: ----------------------- ifup-ipsec has problems when trying to create the corresponding SA and SPD entries for an IPSec link if no AH SPI identifier has been defined in the interface configuration file. Look at the following lines of ifup-ipsec: /sbin/setkey -c >/dev/null 2>&1<< EOF delete $SRC $DST ah $SPI_AH_OUT; delete $DST $SRC ah $SPI_AH_IN; The "delete" setkey command requires exactly four arguments: the source IP, destination IP, the protocol (ESP or AH) and the SPI identifier. However, if the interface configuration file (ifcfg-ipsec0, for example) does not define SPI_AH_IN and/or SPI_AH_OUT, the above "delete" command will supply only three arguments, causing setkey to stop processing the input and exit with an error code: line <whatever>: parse error at [;] parse failed, line <whatever>. The solution is to replace those lines with: /sbin/setkey -c >/dev/null 2>&1<< EOF ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} Attached to this bug report you will find a patch that fixes up ifup-ipsec to allow for tunnel and transport IPSec links, even when no AH authentication is used (SPI_AH* is not defined). Additionally, both the ESP and AH keys must NOT be enclosed in quotes. Doing so, makes setkey complain that the key length is invalid. Version-Release number of selected component (if applicable): initscripts-7.46-1.1 How reproducible: Always Steps to Reproduce: 1. Copy the attached ifup-ipsec0 to /etc/sysconfig/network-scripts 2. Run ifup ipsec0 3. setkey -D and setkey -D -P will reveal that no SA and SPD entries have been created. Actual results: ifup-ipsec fails when the AH protocol is not being used. Expected results: ifup-ipsec MUST work even when the AH protocol is not used (that is, when no AH SPI is specified). Additional info: I have attached a patch to fix ifup-ipsec. I have also attached the ifcfg-ipsec0 file I'm using to configure a transport mode IPSec link between two hosts.
Created attachment 98071 [details] fix ifup-ipsec to allow for ESP-only IPSec links
Created attachment 98072 [details] sample interface configuration file This is the sample IPSec interface configuration file I'm using to test ESP-only (no AH protocol) IPSec links.
Added in CVS, will be in 7.47-1. Didn't add the last bit; I'm pretty sure those quotes are necessary.