Bug 126646 - lan to lan doesn't seem to work
Summary: lan to lan doesn't seem to work
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-network   
(Show other bugs)
Version: 2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
: 127114 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-24 06:22 UTC by Stephen Moore
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-07-05 08:16:11 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ipsec config file (125 bytes, text/plain)
2004-06-30 00:50 UTC, Stephen Moore
no flags Details
ipsec config file - branch end (125 bytes, text/plain)
2004-06-30 01:41 UTC, Stephen Moore
no flags Details

Description Stephen Moore 2004-06-24 06:22:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510

Description of problem:
Cant establish a vpn, it doesnt look as if it can work as the setkey
command is not executed. A route add is attempted before the vpn is

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Click on activate
2.no vpn

Actual Results:  no vpn and no entries from setkeys -D

Expected Results:  vpn that works

Additional info:

Comment 1 Bill Nottingham 2004-06-29 05:07:02 UTC
Please attach your config files.

Comment 2 Stephen Moore 2004-06-30 00:50:51 UTC
Created attachment 101524 [details]
ipsec config file

Main lan end of vpn

Comment 3 Stephen Moore 2004-06-30 01:38:21 UTC
Attempting this configuration

   Branch LAN
 |    eth0   |
 |           |
 |   Branch  |
 |           |
 |    ppp0   |
 |    ppp0   |
 |           |
 | Corporate |
 |           |
 |    eth0   |
 Corporate LAN

Comment 4 Stephen Moore 2004-06-30 01:41:39 UTC
Created attachment 101525 [details]
ipsec config file - branch end

Comment 5 Stephen Moore 2004-06-30 01:53:18 UTC
We have manually generated the encryption keys using the tool
provided. However the script that starts the ipsec connection seems
broken. We set -x on the script and the following is the tail of the

+ '[' -n -o -n ']'
+ MODE=tunnel
+ '[' -n '' ']'
+ '[' -z manual ']'
+ '[' -z '' ']'
++ ip -o route get to
++ sed 's|.*src \([^ ]*\).*|\1|'
+ SRC=
+ '[' manual = manual ']'
+ '[' -z '' ']'
+ AH_PROTO=hmac-sha1
+ '[' -z '' ']'
+ ESP_PROTO=3des-cbc
+ '[' tunnel = host ']'
+ '[' -z ']'
+ '[' -z ']'
+ ip route add to via
RTNETLINK answers: Network is unreachable
+ /sbin/setkey -c
+ '[' manual = automatic ']'

Comment 6 Stephen Moore 2004-06-30 01:58:11 UTC
What we can't get past is that the ip route command comes before the
setkey command. I messed with the script to get it to echo to stdout
the setkey command.

We tried this command manually with no luck also. We have also tried
the script at http://www.ipsec-howto.org/ with no luck (were losers).
So we are fairly stuck at this point.

Comment 7 Bill Nottingham 2004-06-30 02:37:04 UTC
I think the config is wrong... what happens if you switch the DST in
the two files? 

Comment 8 Stephen Moore 2004-06-30 04:26:45 UTC
we have a dynamic ip addresses (we have applied for a static ip) at
the moment, so our ppp0 ip addressess are going to change from time to
time. Given that after changing the DST addressess this is the out put
of my echoie ifup.

[root@mail root]# ifup /etc/sysconfig/network-scripts/ifcfg-Dump 
Were here
RTNETLINK answers: File exists
add esp -m tunnel -E 3des-cbc
add esp -m tunnel -E 3des-cbc
add ah -m tunnel -A hmac-sha1
add ah -m tunnel -A hmac-sha1
spdadd any -P out ipsec
spdadd any -P in ipsec
[root@mail root]#  /sbin/setkey -D
No SAD entries.

Comment 9 Bill Nottingham 2004-06-30 04:36:50 UTC
Heh, you've got debugging in the script. Is setkey throwing an error?
(Don't redirect the output, etc...)

Comment 10 stef 2004-06-30 04:57:08 UTC
We've added debugging to the script so we can see the commands its
issuing to setkey.

Without the echoyness it only returns:

RTNETLINK answers: File exists

setkey does not appear to be throwing an error

Comment 11 stef 2004-06-30 06:09:04 UTC
my bad - found the redirects you were talking about

setkey is throwing parse errors

i changed script again to output the vars its using:

[root@mail root]# ifup /etc/sysconfig/network-scripts/ifcfg-Dump 
RTNETLINK answers: File exists
line 1: parse error at [;]
parse failed, line 1.

thinking its got something to do with the vars
SPI_AH_IN/OUT and SPI_ESP_IN/OUT not being populated

Comment 12 Bill Nottingham 2004-06-30 19:20:54 UTC
If you're using completely manual keys, you need SPIs set.

They're arbitrary-but-unique-per-host numbers (from 1 to 65536); _IN
on one side needs to match _OUT on the other. They're connection

Comment 13 stef 2004-07-01 02:42:26 UTC
Set SPI's and got past that error ...

The key generated by network tool is the wrong length for the
default encryption types.

Manually adjusting the keys got it to work - thanks.

Comment 14 Bill Nottingham 2004-07-01 02:44:54 UTC
So, it all works now with the configuration?

Comment 15 stef 2004-07-01 04:37:15 UTC
The comments at the top of the ifup-ipsec script make sense now that
its working. Basically, i was missing the SPI ids and keys weren't
right for the encryption.

It doesn't seem to add the route but I *can* ping something over there :)

Comment 16 Bill Nottingham 2004-07-01 18:07:00 UTC
Closing as worksforme, then.

Comment 17 stef 2004-07-01 22:24:17 UTC
As we used the ipsec wizard in the system-config-network gui app,
it may be a bug that these ids and keys were incorrect or missing.

Comment 18 Harald Hoyer 2004-07-02 08:25:56 UTC
fixed in the development tree with system-config-network-1.3.17-2
I think of releasing a bugfix erratum for FC2.
Could you please test system-config-network-1.3.17-2 ??

Comment 19 Harald Hoyer 2004-07-02 08:26:54 UTC
hmm, bug #127114 seems to be a duplicate of this one..

Comment 20 stef 2004-07-05 05:03:06 UTC
The ipsec wizard in system-config-network-1.3.17-2 works nicely, thanks.

Comment 21 Harald Hoyer 2004-07-05 08:16:39 UTC
*** Bug 127114 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.