Bug 129054 - Raccoon config file is generated with errors
Raccoon config file is generated with errors
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: ipsec-tools (Show other bugs)
3.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-03 11:52 EDT by Matt Claridge
Modified: 2014-03-16 22:47 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-11 18:12:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
First requested config file (294 bytes, text/plain)
2004-08-03 12:49 EDT, Matt Claridge
no flags Details
First requested config file (64 bytes, text/plain)
2004-08-03 12:49 EDT, Matt Claridge
no flags Details
Second config file (64 bytes, text/plain)
2004-08-03 12:56 EDT, Matt Claridge
no flags Details

  None (edit)
Description Matt Claridge 2004-08-03 11:52:43 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040707 Firefox/0.9.2

Description of problem:
When setting up an ipsec interface with the following config:

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
DST=194.73.118.113
SRCNET=172.18.100.0/24
DSTNET=145.224.7.0/24
AH_PROTO=hmac_sha1
ESP_PROTO=3des

the automatically generated 194.73.118.113.conf raccoon configuration
file contains errors, which manifest themselves in the log file as:

ERROR: cftoken.l:474:yyerror(): /etc/racoon/194.73.118.113.conf:7: ";"
algorithm mismatched 1

This is because there are spaces put in the file between the values
and the semi-colon. Amending the config file to read:

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD="PSK "
DST=194.73.118.113
SRCNET=172.18.100.0/24
DSTNET=145.224.7.0/24
AH_PROTO="hmac_sha1 "
ESP_PROTO="3des "

fixes the parse errors (note the spaces added to the values for
IKE_METHOD, AH_PROTO, ESP_PROTO

My /etc/racoon/racoon.conf reads:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
include "/etc/racoon/194.73.118.113.conf";


Version-Release number of selected component (if applicable):
0.2.3

How reproducible:
Always

Steps to Reproduce:
1. Create an ipsec interface using supplied config parameters
2. Bring the interface up with /sbin/ifup ipsec0
3. Check the errors in /var/log/messages
    

Actual Results:  Errors found in log file. Interface fails to come up.

Expected Results:  Interface should come up with no errors.

Additional info:
Comment 1 Bill Nottingham 2004-08-03 12:31:04 EDT
What specific versions of initscripts and ipsec-tools do you have?
Comment 2 Matt Claridge 2004-08-03 12:35:48 EDT
initscripts-7.31.13.EL-1
ipsec-tools-0.2.5-0.5

(ipsec itself reports version 0.2.3 in the log file)
Comment 3 Bill Nottingham 2004-08-03 12:40:22 EDT
Can you attach /etc/racoon/194.73.118.113.conf?
Comment 4 Matt Claridge 2004-08-03 12:49:06 EDT
Created attachment 102392 [details]
First requested config file
Comment 5 Matt Claridge 2004-08-03 12:49:24 EDT
Created attachment 102393 [details]
First requested config file
Comment 6 Matt Claridge 2004-08-03 12:49:56 EDT
Two files attached:

194.73.118.113.conf.no_spaces is the result of a 'correct' ipsec0 
configuration with no spaces inserted.

194.73.118.113.conf.with_spaces is the result of adding spaces into 
the device config. Although the file is obviously incorrect, it is 
the only way around the parse errors
Comment 7 Bill Nottingham 2004-08-03 12:53:36 EDT
Please reattach the second as text/plain; it appears to have been
corrupted.
Comment 8 Matt Claridge 2004-08-03 12:56:58 EDT
Created attachment 102395 [details]
Second config file

Second file again
Comment 9 Bill Nottingham 2004-08-03 14:53:08 EDT
The second file you posted keeps appearing just as:

---
remote 194.73.118.113
{
        exchange_mode aggressive, main;
---

Obviously, this isn't right.
Comment 10 Matt Claridge 2004-08-04 04:22:27 EDT
that's the complete file - that's all it generates....
Comment 11 Bill Nottingham 2005-03-11 18:12:59 EST
Apologies for the lack of response.

I believe the problem is just the encryption algorithm - for racoon,
you need 'sha1', not 'hmac_sha1'. (Yes, setkey and racoon take
different names for the same algorithm.)

Note You need to log in before you can comment on or make changes to this bug.