Bug 159343 - ifdown-ipsec doesn't handle more then one tunneled network between two hosts well
ifdown-ipsec doesn't handle more then one tunneled network between two hosts ...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: initscripts (Show other bugs)
4.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-01 16:08 EDT by Sean E. Millichamp
Modified: 2014-03-16 22:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-08 17:00:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sean E. Millichamp 2005-06-01 16:08:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.2-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4

Description of problem:
If you have two directly attached networks on server A that you want to IPSec tunnel to server B you would need two config files:

ifcfg-net1 (on server A):
IKE_METHOD=PSK
DSTNET=192.168.2.0/24
SRCNET=192.168.1.0/24
DST=1.2.3.4
TYPE=IPSEC

Now, this works as it should (ignoring bug #146169 for a moment).

But if you add this:
ifcfg-net2 (on server A):
IKE_METHOD=PSK
DSTNET=192.168.2.0/24
SRCNET=10.10.10.0/24  <--- SRCNET changed
DST=1.2.3.4
TYPE=IPSEC

Now here is where you start to have problems.  You can 'ifup net1' and then 'ifup net2' without problems.  But then if you 'ifdown net1' then ifdown-ipsec removes the "include /etc/racoon/$DST.conf" line from /etc/racoon/racoon.conf which is still needed to support net2.

Since racoon get's HUPped, bringing down the one interface immediately starts to cause problems for the second interface.

There should be some mechanism to support this type of configuration.

Version-Release number of selected component (if applicable):
initscripts-7.93.11.EL-1

How reproducible:
Always

Steps to Reproduce:
1. Design tunnelled network as described above
2. ifup network1; ifup network2
3. ifdown network1
4. Try to access network2


Expected Results:  The RHEL IPSec implementation apparently supports this type of configuration without trouble.  The configuration scripts should handle this cleanly.

Additional info:

Until such time as this and other IPSec related initscript bugs gets fixed I've decided to setup GRE tunnels and run them over a host-to-host IPSec connection.  I've tested it a little and it seems to work well.  This might be an acceptable workaround for anyone else hitting this as a problem.
Comment 1 Bill Nottingham 2005-09-21 17:10:07 EDT
Thanks for filing this report. I'm marking this bug as ASSIGNED since it's
correctly assigned to me. However, this isn't very high in my priority queue,
and is unlikely to get fixed in the very near future. If this issue is important
to you, please contact Red Hat Support to get it escalated. Apologies for the
inconvenience.

Comment 2 Miloslav Trmač 2006-11-14 20:49:14 EST
initscripts in Fedora development will support specifying KEYING=automatic
without IKE_* to indicate the racoon configuration is managed manually and the
scripts
shouldn't touch racoon.conf.
Comment 3 Bill Nottingham 2008-12-08 17:00:24 EST
Closing as WONTFIX for RHEL 4; this is unlikely to ever change for RHEL 4, but it's fixed in later releases.

Note You need to log in before you can comment on or make changes to this bug.