From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1 Description of problem: There are some problems getting up an IPSec VPN because of the following lines in ifup-ipsec: == cut here == [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\" [ "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] && KEY_AH_OUT=\"$KEY_AH_OUT\" [ "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] && KEY_ESP_IN=\"$KEY_ESP_IN\" [ "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] && KEY_ESP_OUT=\"$KEY_ESP_OUT\" == and here == Me I use ESP protocol, not AH, so the lines concerning any AH setting (keys, encription protocols, etc is left blank. But, somewhere below these lines, in ifup-ipsec, there are lines like the following: == cut here == # AH ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} == and here == So if the variables KEY_AH_{IN,OUT} are set ok we add the right lines in the output we send to setkey. But if, say, KEY_AH_IN is null (or does not begin with "0x") then: [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\" ...and $KEY_AH_IN is now set to '""' causing the following output to be sent to setkey: == cut here == # AH add $DST $SRC ah $SPI_AH_IN -A AH_PROTO_IN ""; add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT ""; == and here == Of course, setkey will exit due to syntax errors and will fail to set the security policies which follow. Version-Release number of selected component (if applicable): initscripts-8.11.1-1 (FC4, current fedora core devel) How reproducible: Always Steps to Reproduce: 1. Configure a ipsec tunnel in /etc/sysconfig/network-scripts/ifcfg-ipsec0 using one of the AH os ESP protocols; 2. run ifup ipsec0 as root; 3. run setkey -DP and notice that no policies are set. Actual Results: setkey exists prematurely doe to syntax errors caused by missevaluation of some variables. Expected Results: The output: == cut here == # AH add $DST $SRC ah $SPI_AH_IN -A AH_PROTO_IN ""; add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT ""; == and here == should never be generated (in out particular example) and setkey will finish its job. Additional info: The way how the variables $KEY_ are evaluated has to be changed. These variables have to be hex strings (begining with 0x) or double quoted character strings and the tests do check this but also a not-null test should be performed. I also modified a version of ifup-ipsec to write in a file (/tmp/ipsecvpn.setkey) everything it sends to setkey and it's available <a href="ftp://blackblue.iasi.rdsnet.ro/pub/various/i/ifup-ipsec-debug">here</a>.
Created attachment 117866 [details] A quick fix that works This is a patch for ifup-ipsec that also add checking for $KEY_{AH,ESP}_{IN,OUT} against null values.
Furthermore, there is no support for NAT traversal. Not to hard to add, though. First, automatic keying is implied with NAT -only really an issue for the GUI. Second, the "nat_traversal on" statement must be included in the generated racoon file (trivial). Third, the policy requirement for AH must be removed -by testing for the presence of AH_KEY_IN/OUT just like in the manual keying section. I would think a variable like NAT=YES in ipsec-<my config> would be a good approach. -Chris
Should be fixed in 8.34-1.
Hi all, I think this is a good place to comment: initscripts-9.02.1-1.i686 Fedora 12 NAT support is not there yet. We have to add manually in ifup-ipsec nat_traversal on; Disabling AH is more easy by adding AH_PROTO=none in ifcfg-ipsecX file. best regards, Giannis