Bug 251494 - Cannot use IPsec tools with ESP or AH only
Summary: Cannot use IPsec tools with ESP or AH only
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: initscripts   
(Show other bugs)
Version: 5.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: initscripts Maintenance Team
QA Contact: Brock Organ
: 435445 489940 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-09 13:24 UTC by Stijn Tintel
Modified: 2018-10-20 02:30 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 11:14:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
This patch adds configuration parameters for authentication and encryption algorithms used during PHASE 1 of IPsec SA. (6.58 KB, patch)
2007-08-09 13:24 UTC, Stijn Tintel
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1344 normal SHIPPED_LIVE initscripts bug fix update 2009-09-01 10:44:36 UTC

Description Stijn Tintel 2007-08-09 13:24:46 UTC
Description of problem:
RedHat's sysconfig scripts mix up PHASE 1 and PHASE 2 of IPsec SA. AH_PROTO and
ESP_PROTO are used ONLY during PHASE 2 of IPsec SA. Nonetheless, RedHat uses the
values of these variables to configure both PHASE 1 and PHASE 2 of IPsec SA. In
addition, if AH_PROTO or ESP_PROTO are set to "none", RedHat scripts will change
them to sha1 and 3des, since you need both authentication and encryption for ISAKMP.

The downside of this approach is that because of this mixup, you simply cannot
disable AH or ESP. Since ESP also supports authentication, there are cases where
you don't want AH for that purpose. Even stronger, since AH can be problematic
with endpoints behind NAT, AH simply isn't suitable in some cases. Cisco even
chose to completely drop AH support in recent versions of their PIX firewall
software, so currently it is virtually impossible to create an IPsec VPN between
a RHEL 5 and a recent Cisco PIX device.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Try to setup an IPsec tunnel between RHEL5 and Cisco PIX >= 7 (which no
longer supports AH).
Actual results:
RHEL racoon/sysconfig force the use of both ESP and AH, which is rejected by the
Cisco PIX device.

Expected results:
RHEL racoon/sysconfig scripts should allow to use either only AH or only ESP, or
both AH and ESP. Currently, only the latter is possible.

Additional info:

Comment 1 Stijn Tintel 2007-08-09 13:24:46 UTC
Created attachment 160975 [details]
This patch adds configuration parameters for authentication and encryption algorithms used during PHASE 1 of IPsec SA.

Comment 2 Stijn Tintel 2007-08-09 13:53:27 UTC
This bug is actually in the initscripts package, since they contain

Version: initscripts-8.45.14.EL-1

Comment 3 Bill Nottingham 2008-02-29 15:16:14 UTC
*** Bug 435445 has been marked as a duplicate of this bug. ***

Comment 4 Stuart D Gathman 2008-07-15 18:42:56 UTC
Confirmed this problem with Centos-5.2 (which should be close enough to EL5
since this is just a script) and Netgear FVS318v3.  Attached patch fixes the
problem, and now the VPN is up.  Even works with the linux box behind a NAT

I found it useful to log setkey input to a file.  I'm not sure how to make that
robust for general users, however.

Comment 5 James Dennis 2008-07-17 18:44:54 UTC
I had to apply this patch so that I could connect a redhat box with racoon
installed on it to a 5.2 box with openswan on it (to disable AH).

Comment 6 Joe Nall 2008-11-17 21:57:40 UTC
doesn't work?

Comment 7 Bill Nottingham 2009-03-12 21:03:30 UTC
*** Bug 489974 has been marked as a duplicate of this bug. ***

Comment 8 Bill Nottingham 2009-03-12 21:04:11 UTC
*** Bug 489940 has been marked as a duplicate of this bug. ***

Comment 9 Bill Nottingham 2009-03-20 17:14:21 UTC
I've commited a slightly modified version of this to HEAD. It adds some docs, and allows IKE_{ENC,AUTH} to inherit values from existing configurations if they're not set.

Comment 12 Harald Hoyer 2009-05-05 12:50:47 UTC
Please test the erratum candidate:

Comment 14 Chris Ward 2009-07-03 17:57:39 UTC
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.

Comment 15 Stijn Tintel 2009-07-14 10:16:05 UTC
Hello guys, thanks for looking into this problem. Unfortunately, I am no longer working for the employer where I ran into this issue, and currently lacking hardware to test this.

Maybe the reporter of #489940 can confirm if this fixes his problem?

Comment 18 errata-xmlrpc 2009-09-02 11:14:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 20 Adam Huffman 2012-05-18 10:54:21 UTC
Came across this bug when trying to setup IPsec to a NetApp device, which only supports either AH or ESP, and can confirm that it works with this fix.

Note You need to log in before you can comment on or make changes to this bug.