Description of problem: By ifup-ipsec created peer configuration, insecure aggressive mode is preferred against more secure main mode. Version-Release number of selected component (if applicable): ipsec-tools-0.3.3-6.rhel4.1 (RHEL) ipsec-tools-0.6.4-1.1 (FC5) How reproducible: Always Steps to Reproduce: 1. Create /etc/sysconfig/network-scripts/ifcfg-ipsec0 like SRC=192.0.2.1 DST=192.0.2.2 TYPE=IPSEC IKE_METHOD=PSK IKE_PSK=secret 2. ifup ipsec0 Actual results: remote 192.0.2.2 { exchange_mode aggressive, main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } } Expected results: remote 192.0.2.2 { exchange_mode main, aggressive; ... Additional info: Any good reason why the order is "aggressive, main"? If 2 hosts now using the same setup scripts (e.g. both are RH powered), aggressive mode would be used. Also it would be good if this can be controlled by a configuration parameter, e.g. IKE_MODE=aggressive|main|any
BTW: would be great if other parameters would also be optionally configurable, e.g. - dh_group (2 = 1024 is also not so secure than upper ones). - lifetime Note also that for automatic keying, neither AH nor ESP can be selected for phase 2 (IPsec negotiation) and will always default to "sha1" and "3des-cbc" Topology part is completly missing in configuration like: # host-to-host sainfo address 192.0.1.1 any address 192.0.1.2 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; }
It's done to decrease connection overhead; I can see making it a configuration parameter. However, I suspect the more complex of an ipsec configuration you have, the more likely it is that you should just edit raccoon.conf directly.
Hmm, at least phase 2 should be supported in some way. Problem is, if I apply changes to the file 192.0.2.1.conf directly, they are overwritten, if ifcfg-ipsec0 is changed. And if I setup my own racoon.conf file, I run into the problem, that there is no standalone start script provided for racoon - and as I had to learn from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136901 this is a feature and not a bug...
Created attachment 133921 [details] patch which adds support for some more IPsec parameters Following variables are now supported (and shown with an example): IKE_EXCHANGE_MODE=main IKE_DH_GROUP=5 IPSEC_ESP_PROTO=aes128 IPSEC_AH_PROTO=hmac_sha1 IPSEC_LIFETIME="1 hour" IPSEC_PFS_GROUP=5
Some forgotten comments: - patch is successfully tested in host-to-host mode, can't currently test for net-to-net mode - patch cotains also a fix that prevents creation of dedicated conf file with standard umask permissions 0644, it reduces this to 0600 like racoon.conf has set - if no of the new introduced parameters are given, still a topology would be created. This was shown as compatible here to a still unpatched ifup-ipsec file. But for clean backward compatibility, I will now provide a new version which explictly only creates topology, if one or more new introduced IPSEC* parameters are given.
Created attachment 133924 [details] patch which adds support for some more IPsec parameters #2
This is unlikely to change for RHEL 4 at this point. I'm cloning this bug for the development stream.