Red Hat Bugzilla – Bug 147001
ifup-ipsec incompatible with kernel >= 2.6.10
Last modified: 2014-03-16 22:52:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Description of problem:
When setting up an ipsec tunnel using kernel >= 2.6.10, a forward
policy must also be defined using setkey.
Quote from http://www.ipsec-howto.org/x277.html :
Attention: When using the Linux kernel >= 2.6.10 you also have to
define the forward policy for the tunnel to work. You can create this
policy by copying the -P in policy and replacing in by fwd:
spdadd 172.16.2.0/24 172.16.1.0/24 any -P fwd ipsec
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. upgrade to kernel >= 2.6.10
2. set up an ipsec tunnel
3. Attempt to use the tunnel from a box other than the tunnel endpoint
Actual Results: traffic is not forwarded from the IPSec tunnel (the
tunnel is non-functional), though non-tunneled IPSec traffic does
travel over the IPSec link -- that is, endpoint-to-endpoint traffic
works, but traffic from other machines is not forwarded through the
Expected Results: Traffic should be forwarded throught the tunnel
IPSec tunnels are non-functional anyway until bug #140654 is fixed.
@@ -164,6 +164,12 @@
+spdadd $DSTNET $SRCNET any -P fwd ipsec
Did you try the test update?
Yes. Sorry about not seeing that earlier. It does fix this bug, but
doesn't fix #140654. Sorry to keep harping on this, but fixing this
bug doesn't help much as long as that one remains unresolved:
ifup-ipsec in tunnel mode is still doesn't work.
Of course what is done in ifup should be undone in ifdown. initscripts-7.93.6-1
adds fwd policies but does not remove them. Suggested patch:
--- ifdown-ipsec.orig 2005-02-17 20:34:42.222228512 -0500
+++ ifdown-ipsec 2005-02-17 20:51:49.242922534 -0500
@@ -57,6 +57,7 @@
setkey -c << EOF
spddelete $SRC $DST any -P out;
spddelete $DST $SRC any -P in;
+ spddelete $DST $SRC any -P fwd;
[ -z "$SRCNET" ] && SRCNET="$SRC/32"
@@ -67,6 +68,7 @@
/sbin/setkey -c >/dev/null 2>&1 << EOF
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
+ spddelete $DSTNET $SRCNET any -P fwd;
Added in CVS.
Closing this one for now; the ifup-ipsec/ifdown-ipsec changes are
obviated with the ipsec-tools update.