Red Hat Bugzilla – Bug 251494
Cannot use IPsec tools with ESP or AH only
Last modified: 2012-05-18 06:54:21 EDT
Description of problem: RedHat's sysconfig scripts mix up PHASE 1 and PHASE 2 of IPsec SA. AH_PROTO and ESP_PROTO are used ONLY during PHASE 2 of IPsec SA. Nonetheless, RedHat uses the values of these variables to configure both PHASE 1 and PHASE 2 of IPsec SA. In addition, if AH_PROTO or ESP_PROTO are set to "none", RedHat scripts will change them to sha1 and 3des, since you need both authentication and encryption for ISAKMP. The downside of this approach is that because of this mixup, you simply cannot disable AH or ESP. Since ESP also supports authentication, there are cases where you don't want AH for that purpose. Even stronger, since AH can be problematic with endpoints behind NAT, AH simply isn't suitable in some cases. Cisco even chose to completely drop AH support in recent versions of their PIX firewall software, so currently it is virtually impossible to create an IPsec VPN between a RHEL 5 and a recent Cisco PIX device. Version-Release number of selected component (if applicable): ipsec-tools-0.6.5-8.el5 How reproducible: 100% Steps to Reproduce: 1. Try to setup an IPsec tunnel between RHEL5 and Cisco PIX >= 7 (which no longer supports AH). Actual results: RHEL racoon/sysconfig force the use of both ESP and AH, which is rejected by the Cisco PIX device. Expected results: RHEL racoon/sysconfig scripts should allow to use either only AH or only ESP, or both AH and ESP. Currently, only the latter is possible. Additional info:
Created attachment 160975 [details] This patch adds configuration parameters for authentication and encryption algorithms used during PHASE 1 of IPsec SA.
This bug is actually in the initscripts package, since they contain /etc/sysconfig/network-scripts/ifup-ipsec. Version: initscripts-8.45.14.EL-1
*** Bug 435445 has been marked as a duplicate of this bug. ***
Confirmed this problem with Centos-5.2 (which should be close enough to EL5 since this is just a script) and Netgear FVS318v3. Attached patch fixes the problem, and now the VPN is up. Even works with the linux box behind a NAT firewall. I found it useful to log setkey input to a file. I'm not sure how to make that robust for general users, however.
I had to apply this patch so that I could connect a redhat box with racoon installed on it to a 5.2 box with openswan on it (to disable AH).
AH_PROTO=none doesn't work?
*** Bug 489974 has been marked as a duplicate of this bug. ***
*** Bug 489940 has been marked as a duplicate of this bug. ***
I've commited a slightly modified version of this to HEAD. It adds some docs, and allows IKE_{ENC,AUTH} to inherit values from existing configurations if they're not set.
Upstream commit is: http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=0199e4c50803bcbf7705a630df24b3291acea838
Please test the erratum candidate: http://people.redhat.com/harald/downloads/initscripts/initscripts-8.45.26.1.el5/
~~ Attention - RHEL 5.4 Beta Released! ~~ RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner! If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value. Questions can be posted to this bug or your customer or partner representative.
Hello guys, thanks for looking into this problem. Unfortunately, I am no longer working for the employer where I ran into this issue, and currently lacking hardware to test this. Maybe the reporter of #489940 can confirm if this fixes his problem?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1344.html
Came across this bug when trying to setup IPsec to a NetApp device, which only supports either AH or ESP, and can confirm that it works with this fix.