Bug 432821 - left/rightsourceip tags not working
Summary: left/rightsourceip tags not working
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan
Version: 5.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Karl Wirth
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 253052
TreeView+ depends on / blocked
 
Reported: 2008-02-14 16:37 UTC by Janne Karhunen
Modified: 2013-08-06 00:43 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-05-21 15:29:02 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0395 normal SHIPPED_LIVE new package: openswan 2008-05-19 23:09:47 UTC

Description Janne Karhunen 2008-02-14 16:37:01 UTC
Description of problem:

Left/rightsourceip tags for ipsec.conf don't seem to work. These are required to
easily set up gateway-to-gateway communications.


Version-Release number of selected component (if applicable):

openswan-doc-2.6.07-2.el5
openswan-2.6.07-2.el5


How reproducible:

Always


Steps to Reproduce:
1. Configure network-to-network setup using configuration below
2. Start the connection and verify it
3. Notice that even if 'leftsourceip' and 'rightsourceip' are given, nor ping or
the data is going between the gateway nodes without manually binding the
application to local interface. ping -I, ssh -b etc. Given the bind, works as
expected.

conn netnet
        left=192.168.76.31
        leftsourceip=172.16.112.1
        leftsubnet=172.16.112.0/24
        leftid=@a.example.com
        leftrsasigkey=0sAQNiYzAa..
        leftnexthop=192.168.79.254
        right=192.168.79.138
        rightsourceip=192.168.154.1
        rightsubnet=192.168.154.0/24
        rightid=@b.example.com
        rightrsasigkey=0sAQOMrBsIu3K..
        rightnexthop=192.168.79.254
        authby=rsasig
        auto=add

One more interesting thing: seems that once given the bind address ping itself
does not obey ctrl+c (on serial console at least) and has to be killed (state S+).

Comment 1 Paul Wouters 2008-02-22 16:36:23 UTC
We noticed this issue as well. It seems it is related to the _updown.netkey
script. When adding a "set -x" to investigate, we notice it is complaining about
some weird "\134" character. We verified the script is pure ASCII, so we are
somewhat confused right now as to what the real issue is.

Comment 2 Paul Wouters 2008-02-24 14:46:40 UTC
note that in 2.6.24, the "ip route replace" command seems to be broken. At
least, according to
http://www.shorewall.net/pub/shorewall/4.0/shorewall-4.0.9/releasenotes.txt

This might not be our bug.

Comment 3 Paul Wouters 2008-02-24 23:52:32 UTC
The leftsourceip= bug has been found. It will be fixed in 2.5.17 and 2.6.08,
which will be released Mon Feb 25 (tomorrow).

Quick fix is to change _updown.netkey/*in and remove all the code in the
"prepare-client" case. This is a leftover from KLIPS (_updown.klips)

Comment 9 Paul Wouters 2008-04-22 00:27:27 UTC
This accidentally got re-introduced. And is fixed in openswan 2.6.12

Comment 15 errata-xmlrpc 2008-05-21 15:29:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0395.html



Note You need to log in before you can comment on or make changes to this bug.