Red Hat Bugzilla – Bug 159343
ifdown-ipsec doesn't handle more then one tunneled network between two hosts well
Last modified: 2014-03-16 22:54:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.2-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4
Description of problem:
If you have two directly attached networks on server A that you want to IPSec tunnel to server B you would need two config files:
ifcfg-net1 (on server A):
Now, this works as it should (ignoring bug #146169 for a moment).
But if you add this:
ifcfg-net2 (on server A):
SRCNET=10.10.10.0/24 <--- SRCNET changed
Now here is where you start to have problems. You can 'ifup net1' and then 'ifup net2' without problems. But then if you 'ifdown net1' then ifdown-ipsec removes the "include /etc/racoon/$DST.conf" line from /etc/racoon/racoon.conf which is still needed to support net2.
Since racoon get's HUPped, bringing down the one interface immediately starts to cause problems for the second interface.
There should be some mechanism to support this type of configuration.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Design tunnelled network as described above
2. ifup network1; ifup network2
3. ifdown network1
4. Try to access network2
Expected Results: The RHEL IPSec implementation apparently supports this type of configuration without trouble. The configuration scripts should handle this cleanly.
Until such time as this and other IPSec related initscript bugs gets fixed I've decided to setup GRE tunnels and run them over a host-to-host IPSec connection. I've tested it a little and it seems to work well. This might be an acceptable workaround for anyone else hitting this as a problem.
Thanks for filing this report. I'm marking this bug as ASSIGNED since it's
correctly assigned to me. However, this isn't very high in my priority queue,
and is unlikely to get fixed in the very near future. If this issue is important
to you, please contact Red Hat Support to get it escalated. Apologies for the
initscripts in Fedora development will support specifying KEYING=automatic
without IKE_* to indicate the racoon configuration is managed manually and the
shouldn't touch racoon.conf.
Closing as WONTFIX for RHEL 4; this is unlikely to ever change for RHEL 4, but it's fixed in later releases.