Description of problem: The IPSec VPN functionality within the Red Hat Linux ES distribution doesn't allow the configuration of VPN tunnels using ESP _or_ AH. It automatically creates a policy for both ESP and AH. Certain VPN servers like Netscreen and many others will accept either ESP or AH, but not both. In order to create a "lan to lan" VPN between a netscreen VPN server and a Red Hat Linux ES server the following changes had to be made: line 196 - 208 of /etc/sysconfig/network-scripts/ifup-ipsec contains the following: ============================================= /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; spdadd $SRCNET $DSTNET any -P out ipsec esp/tunnel/$SRC-$DST/require ah/tunnel/$SRC-$DST/require ; spdadd $DSTNET $SRCNET any -P in ipsec esp/tunnel/$DST-$SRC/require ah/tunnel/$DST-$SRC/require ; ============================================= Make the follwing change to the above section (Lan2Lan): ============================================= /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; spdadd $SRCNET $DSTNET any -P out ipsec esp/tunnel/$SRC-$DST/require ; spdadd $DSTNET $SRCNET any -P in ipsec esp/tunnel/$DST-$SRC/require ; ============================================= The above file changes will only affect "LAN to LAN" VPN's as there are configuration directives for both "Host to Host" VPN's as well. The following question could propose the way forward: Is it possible that there should be a setting in the ifcfg- {interface} file that specifies weather or not ESP and AH should be used? i.e. ESP=yes AH=yes Version-Release number of selected component (if applicable): initscripts-7.31.9.EL-1 How reproducible: Every time Steps to Reproduce: 1. Create VPN between Red Hat Enterprise Linux ES and a hardware VPN device or any other VPN server. Actual results: Tunnels don't come up Expected results: Tunnels should come up Additional info: This is also a problem on Fedora Core 2 test3
I ran into this same problem expect both end points for my vpn's are FC2 boxes. Updating ifup-ipsec not to add the AH entries to the SPD resolved the problem. Configuration: two FC2 boxes, IKE=PSK, Network-to-Network tunnel.
*** Bug 158245 has been marked as a duplicate of this bug. ***
I don't think removal of AH from ifup/ifdown scripts is solutin. It should be configurable option. I made some preliminary patch into that direction (in duplicate bug #158245). If Bill is interested into it, I can continue the work on it, and resubmit it here. Bill, if there's any future for this feature, and if you'd like me to play with ifup/ifdown scripts, just let me know if you'd rather have simple "copy-paste of code" patch, or more drastic revision of the script... Or if you plan to do it on your own...
Created attachment 114628 [details] Make AH and ESP optional I did some quick tests on these and it seems to work. I've consolidated setkey part of code into one single block that *should* do the right thing. It should be fairly trivial to add routing and overlapped networks patches into this script. If user sets AH_PROTO=none in ifcfg file, AH will not be used. If user sets ESP_PROTO=none in ifcfg file, ESP will not be used. User can choose if he wants to use only ESP (encrypt + payload auth), only AH (headers/payload auth), or both (headers/payload auth + encrypt + payload auth). If you like the patch, a bit more testing would be nice to have.
Created attachment 114631 [details] Make AH and ESP optional SRC should be set before checking if we are using tunnel or transport mode.
Created attachment 114636 [details] Make AH and ESP optional There was one "debugging" exit statement left in the patch. Removed.
Created attachment 114650 [details] Make AH and ESP optional I've found couple of problems with the previous patch. - manual keying was buggy - only ESP encryption with manual keying was possible (no auth) - couple of things cleaned - couple of typos fixed This verion of patch will allow encryption+auth with ESP. If KEY_AESP variable is set (or separate keys for IN and OUT like all other keys), authentication keys for ESP will be added when maunal keying is used. If both AH and ESP are used, authentication keys for ESP will be different than those for AH (for those that like to do things twice). This patch is against initscripts 7.93.11. To make it fully work, at least route fix from bug #146169 should also be added to the script. Optionally, fix for overlapping networks might also be needed in some cases (bug #150862). It should be fairly trivial to incorporate those two fixes into this patch. Also, I'm using ipsec-tools 0.5 (from http://people.redhat.com/notting/ipsec/). Seems that new version of racoon wants certificate type to be specified in peers_certfile command. Added it into the patch (I don't know if old racoon allows x509 keyword on peers_certfile line, but the new one requires it). This change in configuration file syntax is not documented in the manual page, Bill might want to update it. What else... Hm, nothing I could remember right now... I'm on vacation next week, so I guess I will not bombard you with updated versions of the patch ;-)
Created attachment 114653 [details] AH/ESP option + route + overlapping networks patch This is what I actually use currently. It has fixes for routes and overlapping networks included (well, Bill doesn't really like this approach for overlapping networks, but it is easy to change to whatever will be final solution).
Cloning this bug as an enhancement for a later release; at this point, a change of this magnitude probably won't be backported to RHEL 3, as we attempt to minimize regressions. Ergo, closing this bug as deferred for a later release.