+++ This bug was initially created as a clone of Bug #122452 +++ Description of problem: The IPSec VPN functionality within the Red Hat Linux ES distribution doesn't allow the configuration of VPN tunnels using ESP _or_ AH. It automatically creates a policy for both ESP and AH. Certain VPN servers like Netscreen and many others will accept either ESP or AH, but not both. In order to create a "lan to lan" VPN between a netscreen VPN server and a Red Hat Linux ES server the following changes had to be made: line 196 - 208 of /etc/sysconfig/network-scripts/ifup-ipsec contains the following: ============================================= /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; spdadd $SRCNET $DSTNET any -P out ipsec esp/tunnel/$SRC-$DST/require ah/tunnel/$SRC-$DST/require ; spdadd $DSTNET $SRCNET any -P in ipsec esp/tunnel/$DST-$SRC/require ah/tunnel/$DST-$SRC/require ; ============================================= Make the follwing change to the above section (Lan2Lan): ============================================= /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; spdadd $SRCNET $DSTNET any -P out ipsec esp/tunnel/$SRC-$DST/require ; spdadd $DSTNET $SRCNET any -P in ipsec esp/tunnel/$DST-$SRC/require ; ============================================= The above file changes will only affect "LAN to LAN" VPN's as there are configuration directives for both "Host to Host" VPN's as well. The following question could propose the way forward: Is it possible that there should be a setting in the ifcfg- {interface} file that specifies weather or not ESP and AH should be used? i.e. ESP=yes AH=yes Version-Release number of selected component (if applicable): initscripts-7.31.9.EL-1 How reproducible: Every time Steps to Reproduce: 1. Create VPN between Red Hat Enterprise Linux ES and a hardware VPN device or any other VPN server. Actual results: Tunnels don't come up Expected results: Tunnels should come up Additional info: This is also a problem on Fedora Core 2 test3 -- Additional comment from splaice on 2004-11-12 22:16 EST -- I ran into this same problem expect both end points for my vpn's are FC2 boxes. Updating ifup-ipsec not to add the AH entries to the SPD resolved the problem. Configuration: two FC2 boxes, IKE=PSK, Network-to-Network tunnel. -- Additional comment from alex on 2005-05-20 15:42 EST -- Created an attachment (id=114650) Make AH and ESP optional I've found couple of problems with the previous patch. - manual keying was buggy - only ESP encryption with manual keying was possible (no auth) - couple of things cleaned - couple of typos fixed This verion of patch will allow encryption+auth with ESP. If KEY_AESP variable is set (or separate keys for IN and OUT like all other keys), authentication keys for ESP will be added when maunal keying is used. If both AH and ESP are used, authentication keys for ESP will be different than those for AH (for those that like to do things twice). This patch is against initscripts 7.93.11. To make it fully work, at least route fix from bug #146169 should also be added to the script. Optionally, fix for overlapping networks might also be needed in some cases (bug #150862). It should be fairly trivial to incorporate those two fixes into this patch. Also, I'm using ipsec-tools 0.5 (from http://people.redhat.com/notting/ipsec/). Seems that new version of racoon wants certificate type to be specified in peers_certfile command. Added it into the patch (I don't know if old racoon allows x509 keyword on peers_certfile line, but the new one requires it). This change in configuration file syntax is not documented in the manual page, Bill might want to update it. What else... Hm, nothing I could remember right now... I'm on vacation next week, so I guess I will not bombard you with updated versions of the patch ;-) -- Additional comment from alex on 2005-05-20 16:25 EST -- Created an attachment (id=114653) AH/ESP option + route + overlapping networks patch This is what I actually use currently. It has fixes for routes and overlapping networks included (well, Bill doesn't really like this approach for overlapping networks, but it is easy to change to whatever will be final solution).
Bill Nottingham wrote: > Is it possible that there should be a setting in the ifcfg- > {interface} file that specifies weather or not ESP and AH should be > used? Of course it is. I sent a patch months ago that does exactly that (I believe it was against RHEL4 and clones). It allows the use of either AH, or ESP, or both. It also cleans up ifup-ipsec and ifdown-ipsec considerably by using conditional variable substitutions (the old scripts used them too, but not everywhere they could be used, resulting (if I remember correctly) in some duplicated code that started showing first signs of inconsistencies). I do remember that it worked very nicely with small Linksys VPN routers on the other end (they support either AH or ESP, but not both), however I haven't been using it lately. Lately I was mostly doing Linux-to-linux VPNs, and because of the bugs in Netfilter moved to IPSec over GRE approach (with complete new set of scripts). I liked having interfaces I can route to so much, I'm using that approach wherever possible. The 2.6 kernel's hidden/implicit IPSec routing simply sucks. Complicates things too much without any real benefit. If anybody is interested, I might even start working on a version of patch that would also allow one to configure GRE and/or IPSec over GRE in ifcfg-* files, which could possibly add hole new area of interoperability with big Cisco routers ;-)
Ah, I just realized the above was not was Notting wrote, it was from original bug report. Ah, shame on me, and so on, and so forth O:-) Anyhow, I believe the change is small enough to be incorporated as patch against EL4 and recent Fedora releases. Don't see why EL3 would be show stopper for EL4.
Fixed in CVS. Thanks for the patch!
Built as 8.36-1.