Red Hat Bugzilla – Bug 158245
Making AH optional for IPSec
Last modified: 2014-03-16 22:54:00 EDT
Description of problem:
While solving some problems I had with IPSec, and looking around how other
people sovled them, I realized that many folks choose to use ESP only (no AH)
when building tunnels. Also, according to IPSec HOWTO
(http://www.ipsec-howto.org/), AH is incompatible with NAT-traversal (only ESP
can be used with it). Since ESP can also provide for packet authentication,
using AH should be configuration option. Implementing this option could be a
step to having option for NAT-traversal in the future.
I've included a patch against initscripts 7.93.11 (ifup and ifdown). Not tested
yet, just to show general idea. The patch is simple, couple of if statments and
duplication of code.
If you find this option to be worth inclusion into the initscripts, I'll do the
testing, and resubmit patch (if needed). I could also work on a bit more
complicated version of patch. Basically, it would build "setkey" script in
temporary directory, and than execute it. The code would look something like this:
cat > /tmp/blahblah <<EOF
#! /usr/sbin/setkey -f
if [ -n "$USE_AH" ]; then
cat >> /tmp/blahblah <<EOF
more blah blah
chmod 755 /tmp/blahblah
rm -f /tmp/blahblah
Or something similar to the above. That would make ifup/ifdown-ipsec scripts
more managable as features are added in the future (no duplication of code).
So basically, let me know what you think about it...
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Created attachment 114591 [details]
one way to do it
*** This bug has been marked as a duplicate of 122452 ***