Bug 122452 - IPSec initscript ESP/AH issues
IPSec initscript ESP/AH issues
Status: CLOSED DEFERRED
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: initscripts (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
:
: 158245 (view as bug list)
Depends On:
Blocks: 168972
  Show dependency treegraph
 
Reported: 2004-05-04 13:36 EDT by Paul McEnery
Modified: 2014-03-16 22:44 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-21 15:25:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Make AH and ESP optional (8.64 KB, patch)
2005-05-20 11:03 EDT, Aleksandar Milivojevic
no flags Details | Diff
Make AH and ESP optional (8.84 KB, patch)
2005-05-20 11:24 EDT, Aleksandar Milivojevic
no flags Details | Diff
Make AH and ESP optional (8.83 KB, patch)
2005-05-20 12:58 EDT, Aleksandar Milivojevic
no flags Details | Diff
Make AH and ESP optional (10.18 KB, patch)
2005-05-20 15:42 EDT, Aleksandar Milivojevic
no flags Details | Diff
AH/ESP option + route + overlapping networks patch (13.10 KB, patch)
2005-05-20 16:25 EDT, Aleksandar Milivojevic
no flags Details | Diff

  None (edit)
Description Paul McEnery 2004-05-04 13:36:12 EDT
Description of problem:

The IPSec VPN functionality within the Red Hat Linux ES distribution 
doesn't allow the configuration of VPN tunnels using ESP _or_ AH. It 
automatically creates a policy for both ESP and AH. Certain VPN 
servers like Netscreen and many others will accept either ESP or AH, 
but not both.

In order to create a "lan to lan" VPN between a netscreen VPN server 
and a Red Hat Linux ES server the following changes had to be made:

line 196 - 208 of /etc/sysconfig/network-scripts/ifup-ipsec contains 
the following:
=============================================
      /sbin/setkey -c >/dev/null 2>&1 << EOF        
spddelete $SRCNET $DSTNET any -P out;             
spddelete $DSTNET $SRCNET any -P in;             
                                                      
spdadd $SRCNET $DSTNET any -P out ipsec     
            esp/tunnel/$SRC-$DST/require                             
            ah/tunnel/$SRC-$DST/require                  
            ;                              
                                                                      
                    
spdadd $DSTNET $SRCNET any -P in ipsec                    
            esp/tunnel/$DST-$SRC/require                    
            ah/tunnel/$DST-$SRC/require                     
            ;
=============================================

Make the follwing change to the above section (Lan2Lan):
=============================================
      /sbin/setkey -c >/dev/null 2>&1 << EOF        
spddelete $SRCNET $DSTNET any -P out;             
spddelete $DSTNET $SRCNET any -P in;             
                                                      
spdadd $SRCNET $DSTNET any -P out ipsec     
            esp/tunnel/$SRC-$DST/require               
            ;                              
                                                                      
                    
spdadd $DSTNET $SRCNET any -P in ipsec                    
            esp/tunnel/$DST-$SRC/require
            ;
=============================================


The above file changes will only affect "LAN to LAN" VPN's as there 
are configuration directives for both "Host to Host" VPN's as well. 
The following question could propose the way forward:

Is it possible that there should be a setting in the ifcfg-
{interface} file that specifies weather or not ESP and AH should be 
used?

i.e.

ESP=yes
AH=yes






Version-Release number of selected component (if applicable):
initscripts-7.31.9.EL-1


How reproducible:
Every time



Steps to Reproduce:
1. Create VPN between Red Hat Enterprise Linux ES and a hardware VPN 
device or any other VPN server.

  
Actual results:
Tunnels don't come up

Expected results:
Tunnels should come up

Additional info:
This is also a problem on Fedora Core 2 test3
Comment 1 Sean Plaice 2004-11-12 22:16:46 EST
I ran into this same problem expect both end points for my vpn's are
FC2 boxes. Updating ifup-ipsec not to add the AH entries to the SPD
resolved the problem.

Configuration:
two FC2 boxes, IKE=PSK, Network-to-Network tunnel.
Comment 2 Bill Nottingham 2005-05-19 16:26:35 EDT
*** Bug 158245 has been marked as a duplicate of this bug. ***
Comment 3 Aleksandar Milivojevic 2005-05-19 17:13:07 EDT
I don't think removal of AH from ifup/ifdown scripts is solutin.  It should be
configurable option.  I made some preliminary patch into that direction (in
duplicate bug #158245).  If Bill is interested into it, I can continue the work
on it, and resubmit it here.

Bill, if there's any future for this feature, and if you'd like me to play with
ifup/ifdown scripts, just let me know if you'd rather have simple "copy-paste of
code" patch, or more drastic revision of the script...  Or if you plan to do it
on your own...
Comment 4 Aleksandar Milivojevic 2005-05-20 11:03:06 EDT
Created attachment 114628 [details]
Make AH and ESP optional

I did some quick tests on these and it seems to work.  I've consolidated setkey
part of code into one single block that *should* do the right thing.  It should
be fairly trivial to add routing and overlapped networks patches into this
script.

If user sets AH_PROTO=none in ifcfg file, AH will not be used.	If user sets
ESP_PROTO=none in ifcfg file, ESP will not be used.  User can choose if he
wants to use only ESP (encrypt + payload auth), only AH (headers/payload auth),
or both (headers/payload auth + encrypt + payload auth).

If you like the patch, a bit more testing would be nice to have.
Comment 5 Aleksandar Milivojevic 2005-05-20 11:24:26 EDT
Created attachment 114631 [details]
Make AH and ESP optional

SRC should be set before checking if we are using tunnel or transport mode.
Comment 6 Aleksandar Milivojevic 2005-05-20 12:58:39 EDT
Created attachment 114636 [details]
Make AH and ESP optional

There was one "debugging" exit statement left in the patch.  Removed.
Comment 7 Aleksandar Milivojevic 2005-05-20 15:42:54 EDT
Created attachment 114650 [details]
Make AH and ESP optional

I've found couple of problems with the previous patch.
 - manual keying was buggy
 - only ESP encryption with manual keying was possible (no auth)
 - couple of things cleaned
 - couple of typos fixed

This verion of patch will allow encryption+auth with ESP.  If KEY_AESP variable
is set (or separate keys for IN and OUT like all other keys), authentication
keys for ESP will be added when maunal keying is used.	If both AH and ESP are
used, authentication keys for ESP will be different than those for AH (for
those that like to do things twice).

This patch is against initscripts 7.93.11.  To make it fully work, at least
route fix from bug #146169 should also be added to the script.	Optionally, fix
for overlapping networks might also be needed in some cases (bug #150862).  It
should be fairly trivial to incorporate those two fixes into this patch.

Also, I'm using ipsec-tools 0.5 (from http://people.redhat.com/notting/ipsec/).
 Seems that new version of racoon wants certificate type to be specified in
peers_certfile command.  Added it into the patch (I don't know if old racoon
allows x509 keyword on peers_certfile line, but the new one requires it).  This
change in configuration file syntax is not documented in the manual page, Bill
might want to update it.

What else...  Hm, nothing I could remember right now...  I'm on vacation next
week, so I guess I will not bombard you with updated versions of the patch ;-)
Comment 8 Aleksandar Milivojevic 2005-05-20 16:25:30 EDT
Created attachment 114653 [details]
AH/ESP option + route + overlapping networks patch

This is what I actually use currently.	It has fixes for routes and overlapping
networks included (well, Bill doesn't really like this approach for overlapping
networks, but it is easy to change to whatever will be final solution).
Comment 9 Bill Nottingham 2005-09-21 15:25:05 EDT
Cloning this bug as an enhancement for a later release; at this point, a change
of this magnitude probably won't be backported to RHEL 3, as we attempt to
minimize regressions.

Ergo, closing this bug as deferred for a later release.

Note You need to log in before you can comment on or make changes to this bug.