Red Hat Bugzilla – Bug 201853
insecure aggressive mode is preferred against more secure main mode in generated configuration
Last modified: 2014-03-16 23:01:20 EDT
Description of problem:
By ifup-ipsec created peer configuration, insecure aggressive mode is preferred
against more secure main mode.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create /etc/sysconfig/network-scripts/ifcfg-ipsec0 like
2. ifup ipsec0
exchange_mode aggressive, main;
dh_group 2 ;
exchange_mode main, aggressive;
Any good reason why the order is "aggressive, main"?
If 2 hosts now using the same setup scripts (e.g. both are RH powered),
aggressive mode would be used.
Also it would be good if this can be controlled by a configuration parameter, e.g.
BTW: would be great if other parameters would also be optionally configurable, e.g.
- dh_group (2 = 1024 is also not so secure than upper ones).
Note also that for automatic keying, neither AH nor ESP can be selected for
phase 2 (IPsec negotiation) and will always default to "sha1" and "3des-cbc"
Topology part is completly missing in configuration like:
sainfo address 126.96.36.199 any address 188.8.131.52 any
lifetime time 1 hour;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
It's done to decrease connection overhead; I can see making it a configuration
parameter. However, I suspect the more complex of an ipsec configuration you
have, the more likely it is that you should just edit raccoon.conf directly.
Hmm, at least phase 2 should be supported in some way. Problem is, if I apply
changes to the file 192.0.2.1.conf directly, they are overwritten, if
ifcfg-ipsec0 is changed.
And if I setup my own racoon.conf file, I run into the problem, that there is no
standalone start script provided for racoon - and as I had to learn from
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136901 this is a feature
and not a bug...
Created attachment 133921 [details]
patch which adds support for some more IPsec parameters
Following variables are now supported (and shown with an example):
Some forgotten comments:
- patch is successfully tested in host-to-host mode, can't currently test for
- patch cotains also a fix that prevents creation of dedicated conf file with
standard umask permissions 0644, it reduces this to 0600 like racoon.conf has set
- if no of the new introduced parameters are given, still a topology would be
created. This was shown as compatible here to a still unpatched ifup-ipsec file.
But for clean backward compatibility, I will now provide a new version which
explictly only creates topology, if one or more new introduced IPSEC* parameters
Created attachment 133924 [details]
patch which adds support for some more IPsec parameters #2
This is unlikely to change for RHEL 4 at this point. I'm cloning this bug for the development stream.