Bug 158245 - Making AH optional for IPSec
Making AH optional for IPSec
Status: CLOSED DUPLICATE of bug 122452
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: initscripts (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-05-19 16:18 EDT by Aleksandar Milivojevic
Modified: 2014-03-16 22:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-19 16:26:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
one way to do it (5.40 KB, patch)
2005-05-19 16:18 EDT, Aleksandar Milivojevic
no flags Details | Diff

  None (edit)
Description Aleksandar Milivojevic 2005-05-19 16:18:37 EDT
Description of problem:
Hi Bill,

While solving some problems I had with IPSec, and looking around how other
people sovled them, I realized that many folks choose to use ESP only (no AH)
when building tunnels.  Also, according to IPSec HOWTO
(http://www.ipsec-howto.org/), AH is incompatible with NAT-traversal (only ESP
can be used with it).  Since ESP can also provide for packet authentication,
using AH should be configuration option.  Implementing this option could be a
step to having option for NAT-traversal in the future.

I've included a patch against initscripts 7.93.11 (ifup and ifdown).  Not tested
yet, just to show general idea.  The patch is simple, couple of if statments and
duplication of code.

If you find this option to be worth inclusion into the initscripts, I'll do the
testing, and resubmit patch (if needed).  I could also work on a bit more
complicated version of patch.  Basically, it would build "setkey" script in
temporary directory, and than execute it.  The code would look something like this:

cat > /tmp/blahblah <<EOF
#! /usr/sbin/setkey -f

blah blah

if [ -n "$USE_AH" ]; then
  cat >> /tmp/blahblah <<EOF
more blah blah

chmod 755 /tmp/blahblah
rm -f /tmp/blahblah

Or something similar to the above.  That would make ifup/ifdown-ipsec scripts
more managable as features are added in the future (no duplication of code).

So basically, let me know what you think about it...

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Aleksandar Milivojevic 2005-05-19 16:18:37 EDT
Created attachment 114591 [details]
one way to do it
Comment 2 Bill Nottingham 2005-05-19 16:26:27 EDT

*** This bug has been marked as a duplicate of 122452 ***

Note You need to log in before you can comment on or make changes to this bug.