From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: When setting up an ipsec tunnel using kernel >= 2.6.10, a forward policy must also be defined using setkey. Quote from http://www.ipsec-howto.org/x277.html : --- Attention: When using the Linux kernel >= 2.6.10 you also have to define the forward policy for the tunnel to work. You can create this policy by copying the -P in policy and replacing in by fwd: spdadd 172.16.2.0/24 172.16.1.0/24 any -P fwd ipsec esp/tunnel/192.168.2.100-192.168.1.100/require; --- Version-Release number of selected component (if applicable): initscripts-7.93.5-1 How reproducible: Always Steps to Reproduce: 1. upgrade to kernel >= 2.6.10 2. set up an ipsec tunnel 3. Attempt to use the tunnel from a box other than the tunnel endpoint Actual Results: traffic is not forwarded from the IPSec tunnel (the tunnel is non-functional), though non-tunneled IPSec traffic does travel over the IPSec link -- that is, endpoint-to-endpoint traffic works, but traffic from other machines is not forwarded through the tunnel. Expected Results: Traffic should be forwarded throught the tunnel Additional info: IPSec tunnels are non-functional anyway until bug #140654 is fixed.
Fix: @@ -164,6 +164,12 @@ ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require} ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require} ; + +spdadd $DSTNET $SRCNET any -P fwd ipsec + ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require} + ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require} + ; + EOF fi fi
Did you try the test update?
Yes. Sorry about not seeing that earlier. It does fix this bug, but doesn't fix #140654. Sorry to keep harping on this, but fixing this bug doesn't help much as long as that one remains unresolved: ifup-ipsec in tunnel mode is still doesn't work.
Of course what is done in ifup should be undone in ifdown. initscripts-7.93.6-1 adds fwd policies but does not remove them. Suggested patch: --- ifdown-ipsec.orig 2005-02-17 20:34:42.222228512 -0500 +++ ifdown-ipsec 2005-02-17 20:51:49.242922534 -0500 @@ -57,6 +57,7 @@ setkey -c << EOF spddelete $SRC $DST any -P out; spddelete $DST $SRC any -P in; + spddelete $DST $SRC any -P fwd; EOF else [ -z "$SRCNET" ] && SRCNET="$SRC/32" @@ -67,6 +68,7 @@ /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; + spddelete $DSTNET $SRCNET any -P fwd; EOF fi
Added in CVS.
Closing this one for now; the ifup-ipsec/ifdown-ipsec changes are obviated with the ipsec-tools update.