Bug 166257 - ipsec VPN problems caused by some code in ifup-ipsec
ipsec VPN problems caused by some code in ifup-ipsec
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2005-08-18 08:28 EDT by Tarhon-Onu Victor
Modified: 2014-03-16 22:55 EDT (History)
4 users (show)

See Also:
Fixed In Version: 8.34-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-23 15:19:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A quick fix that works (910 bytes, patch)
2005-08-18 08:38 EDT, Tarhon-Onu Victor
no flags Details | Diff

  None (edit)
Description Tarhon-Onu Victor 2005-08-18 08:28:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1

Description of problem:
There are some problems getting up an IPSec VPN because of the following lines in ifup-ipsec:
== cut here ==
     [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
     [ "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] && KEY_AH_OUT=\"$KEY_AH_OUT\"
     [ "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] && KEY_ESP_IN=\"$KEY_ESP_IN\"
     [ "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
== and here ==

Me I use ESP protocol, not AH, so the lines concerning any AH setting (keys, encription protocols, etc is left blank.

But, somewhere below these lines, in ifup-ipsec, there are lines like the following:
== cut here ==
# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
== and here ==
So if the variables KEY_AH_{IN,OUT} are set ok we add the right lines in the output we send to setkey. But if, say, KEY_AH_IN is null (or does not begin with "0x") then:
[ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
...and $KEY_AH_IN is now set to '""' causing the following output to be sent to setkey:
== cut here ==
# AH
add $DST $SRC ah $SPI_AH_IN -A  AH_PROTO_IN "";
add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT "";
== and here ==

Of course, setkey will exit due to syntax errors and will fail to set the security policies which follow.

Version-Release number of selected component (if applicable):
initscripts-8.11.1-1 (FC4, current fedora core devel)

How reproducible:
Always

Steps to Reproduce:
1. Configure a ipsec tunnel in /etc/sysconfig/network-scripts/ifcfg-ipsec0 using one of the AH os ESP protocols;
2. run ifup ipsec0 as root;
3. run setkey -DP and notice that no policies are set.
  

Actual Results:  setkey exists prematurely doe to syntax errors caused by missevaluation of some variables.

Expected Results:  The output:
== cut here ==
# AH
add $DST $SRC ah $SPI_AH_IN -A  AH_PROTO_IN "";
add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT "";
== and here ==
should never be generated (in out particular example) and setkey will finish its job.


Additional info:

The way how the variables $KEY_ are evaluated has to be changed. These variables have to be hex strings (begining with 0x) or double quoted character strings and the tests do check this but also a not-null test should be performed.

I also modified a version of ifup-ipsec to write in a file (/tmp/ipsecvpn.setkey) everything it sends to setkey and it's available <a href="ftp://blackblue.iasi.rdsnet.ro/pub/various/i/ifup-ipsec-debug">here</a>.
Comment 1 Tarhon-Onu Victor 2005-08-18 08:38:28 EDT
Created attachment 117866 [details]
A quick fix that works

This is a patch for ifup-ipsec that also add checking for
$KEY_{AH,ESP}_{IN,OUT} against null values.
Comment 2 Chris Hapgood 2005-10-25 14:52:14 EDT
Furthermore, there is no support for NAT traversal.  Not to hard to add, 
though.  First, automatic keying is implied with NAT -only really an issue for 
the GUI.  Second, the "nat_traversal on" statement must be included in the 
generated racoon file (trivial).  Third, the policy requirement for AH must be 
removed -by testing for the presence of AH_KEY_IN/OUT just like in the manual 
keying section.

I would think a variable like NAT=YES in ipsec-<my config> would be a good 
approach.

-Chris
Comment 3 Bill Nottingham 2006-05-23 15:19:12 EDT
Should be fixed in 8.34-1.
Comment 4 Kapetanakis Giannis 2010-02-07 09:28:18 EST
Hi all,

I think this is a good place to comment:

initscripts-9.02.1-1.i686
Fedora 12

NAT support is not there yet. We have to add manually in ifup-ipsec
nat_traversal on;

Disabling AH is more easy by adding AH_PROTO=none in ifcfg-ipsecX file.

best regards,

Giannis

Note You need to log in before you can comment on or make changes to this bug.