Bug 147001 - ifup-ipsec incompatible with kernel >= 2.6.10
ifup-ipsec incompatible with kernel >= 2.6.10
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
3
All Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-03 11:17 EST by Tyler Larson
Modified: 2014-03-16 22:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-07 15:06:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tyler Larson 2005-02-03 11:17:33 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
When setting up an ipsec tunnel using kernel >= 2.6.10, a forward
policy must also be defined using setkey.

Quote from http://www.ipsec-howto.org/x277.html :
---

Attention: When using the Linux kernel >= 2.6.10 you also have to
define the forward policy for the tunnel to work. You can create this
policy by copying the -P in policy and replacing in by fwd:

spdadd 172.16.2.0/24 172.16.1.0/24 any -P fwd ipsec
           esp/tunnel/192.168.2.100-192.168.1.100/require;

---



Version-Release number of selected component (if applicable):
initscripts-7.93.5-1

How reproducible:
Always

Steps to Reproduce:
1. upgrade to kernel >= 2.6.10
2. set up an ipsec tunnel
3. Attempt to use the tunnel from a box other than the tunnel endpoint

    

Actual Results:  traffic is not forwarded from the IPSec tunnel (the
tunnel is non-functional), though non-tunneled IPSec traffic does
travel over the IPSec link -- that is, endpoint-to-endpoint traffic
works, but traffic from other machines is not forwarded through the
tunnel.

Expected Results:  Traffic should be forwarded throught the tunnel

Additional info:

IPSec tunnels are non-functional anyway until bug #140654 is fixed.
Comment 1 Tyler Larson 2005-02-03 11:22:36 EST
Fix:
@@ -164,6 +164,12 @@
            ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
            ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
            ;
+
+spdadd $DSTNET $SRCNET any -P fwd ipsec
+           ${KEY_ESP_IN:+esp/tunnel/$DST-$SRC/require}
+           ${KEY_AH_IN:+ah/tunnel/$DST-$SRC/require}
+           ;
+
 EOF
     fi
 fi
Comment 2 Bill Nottingham 2005-02-03 14:46:53 EST
Did you try the test update?
Comment 3 Tyler Larson 2005-02-11 15:16:42 EST
Yes. Sorry about not seeing that earlier. It does fix this bug, but
doesn't fix #140654. Sorry to keep harping on this, but fixing this
bug doesn't help much as long as that one remains unresolved:
ifup-ipsec in tunnel mode is still doesn't work.
Comment 4 Christopher Johnson 2005-02-17 21:09:21 EST
Of course what is done in ifup should be undone in ifdown.  initscripts-7.93.6-1
adds fwd policies but does not remove them.  Suggested patch:
--- ifdown-ipsec.orig   2005-02-17 20:34:42.222228512 -0500
+++ ifdown-ipsec        2005-02-17 20:51:49.242922534 -0500
@@ -57,6 +57,7 @@
        setkey -c << EOF
        spddelete $SRC $DST any -P out;
        spddelete $DST $SRC any -P in;
+       spddelete $DST $SRC any -P fwd;
 EOF
 else
       [ -z "$SRCNET" ] && SRCNET="$SRC/32"
@@ -67,6 +68,7 @@
       /sbin/setkey -c >/dev/null 2>&1 << EOF
        spddelete $SRCNET $DSTNET any -P out;
        spddelete $DSTNET $SRCNET any -P in;
+       spddelete $DSTNET $SRCNET any -P fwd;
 EOF
 fi
Comment 5 Bill Nottingham 2005-02-18 16:57:03 EST
Added in CVS.
Comment 6 Bill Nottingham 2005-03-07 15:06:13 EST
Closing this one for now; the ifup-ipsec/ifdown-ipsec changes are
obviated with the ipsec-tools update.

Note You need to log in before you can comment on or make changes to this bug.