Bug 432821 - left/rightsourceip tags not working
left/rightsourceip tags not working
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openswan (Show other bugs)
5.2
All Linux
high Severity medium
: rc
: ---
Assigned To: Karl Wirth
:
Depends On:
Blocks: 253052
  Show dependency treegraph
 
Reported: 2008-02-14 11:37 EST by Janne Karhunen
Modified: 2013-08-05 20:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2008-0395
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 11:29:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Janne Karhunen 2008-02-14 11:37:01 EST
Description of problem:

Left/rightsourceip tags for ipsec.conf don't seem to work. These are required to
easily set up gateway-to-gateway communications.


Version-Release number of selected component (if applicable):

openswan-doc-2.6.07-2.el5
openswan-2.6.07-2.el5


How reproducible:

Always


Steps to Reproduce:
1. Configure network-to-network setup using configuration below
2. Start the connection and verify it
3. Notice that even if 'leftsourceip' and 'rightsourceip' are given, nor ping or
the data is going between the gateway nodes without manually binding the
application to local interface. ping -I, ssh -b etc. Given the bind, works as
expected.

conn netnet
        left=192.168.76.31
        leftsourceip=172.16.112.1
        leftsubnet=172.16.112.0/24
        leftid=@a.example.com
        leftrsasigkey=0sAQNiYzAa..
        leftnexthop=192.168.79.254
        right=192.168.79.138
        rightsourceip=192.168.154.1
        rightsubnet=192.168.154.0/24
        rightid=@b.example.com
        rightrsasigkey=0sAQOMrBsIu3K..
        rightnexthop=192.168.79.254
        authby=rsasig
        auto=add

One more interesting thing: seems that once given the bind address ping itself
does not obey ctrl+c (on serial console at least) and has to be killed (state S+).
Comment 1 Paul Wouters 2008-02-22 11:36:23 EST
We noticed this issue as well. It seems it is related to the _updown.netkey
script. When adding a "set -x" to investigate, we notice it is complaining about
some weird "\134" character. We verified the script is pure ASCII, so we are
somewhat confused right now as to what the real issue is.
Comment 2 Paul Wouters 2008-02-24 09:46:40 EST
note that in 2.6.24, the "ip route replace" command seems to be broken. At
least, according to
http://www.shorewall.net/pub/shorewall/4.0/shorewall-4.0.9/releasenotes.txt

This might not be our bug.
Comment 3 Paul Wouters 2008-02-24 18:52:32 EST
The leftsourceip= bug has been found. It will be fixed in 2.5.17 and 2.6.08,
which will be released Mon Feb 25 (tomorrow).

Quick fix is to change _updown.netkey/*in and remove all the code in the
"prepare-client" case. This is a leftover from KLIPS (_updown.klips)
Comment 9 Paul Wouters 2008-04-21 20:27:27 EDT
This accidentally got re-introduced. And is fixed in openswan 2.6.12
Comment 15 errata-xmlrpc 2008-05-21 11:29:02 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0395.html

Note You need to log in before you can comment on or make changes to this bug.