Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 166257

Summary: ipsec VPN problems caused by some code in ifup-ipsec
Product: [Fedora] Fedora Reporter: Tarhon-Onu Victor <lsmituc>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: bilias, cch1, denis, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 8.34-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-23 19:19:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 150221    
Description Flags
A quick fix that works none

Description Tarhon-Onu Victor 2005-08-18 12:28:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1

Description of problem:
There are some problems getting up an IPSec VPN because of the following lines in ifup-ipsec:
== cut here ==
     [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
     [ "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] && KEY_AH_OUT=\"$KEY_AH_OUT\"
     [ "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] && KEY_ESP_IN=\"$KEY_ESP_IN\"
     [ "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
== and here ==

Me I use ESP protocol, not AH, so the lines concerning any AH setting (keys, encription protocols, etc is left blank.

But, somewhere below these lines, in ifup-ipsec, there are lines like the following:
== cut here ==
# AH
== and here ==
So if the variables KEY_AH_{IN,OUT} are set ok we add the right lines in the output we send to setkey. But if, say, KEY_AH_IN is null (or does not begin with "0x") then:
[ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
...and $KEY_AH_IN is now set to '""' causing the following output to be sent to setkey:
== cut here ==
# AH
add $DST $SRC ah $SPI_AH_IN -A  AH_PROTO_IN "";
== and here ==

Of course, setkey will exit due to syntax errors and will fail to set the security policies which follow.

Version-Release number of selected component (if applicable):
initscripts-8.11.1-1 (FC4, current fedora core devel)

How reproducible:

Steps to Reproduce:
1. Configure a ipsec tunnel in /etc/sysconfig/network-scripts/ifcfg-ipsec0 using one of the AH os ESP protocols;
2. run ifup ipsec0 as root;
3. run setkey -DP and notice that no policies are set.

Actual Results:  setkey exists prematurely doe to syntax errors caused by missevaluation of some variables.

Expected Results:  The output:
== cut here ==
# AH
add $DST $SRC ah $SPI_AH_IN -A  AH_PROTO_IN "";
== and here ==
should never be generated (in out particular example) and setkey will finish its job.

Additional info:

The way how the variables $KEY_ are evaluated has to be changed. These variables have to be hex strings (begining with 0x) or double quoted character strings and the tests do check this but also a not-null test should be performed.

I also modified a version of ifup-ipsec to write in a file (/tmp/ipsecvpn.setkey) everything it sends to setkey and it's available <a href="">here</a>.

Comment 1 Tarhon-Onu Victor 2005-08-18 12:38:28 UTC
Created attachment 117866 [details]
A quick fix that works

This is a patch for ifup-ipsec that also add checking for
$KEY_{AH,ESP}_{IN,OUT} against null values.

Comment 2 Chris Hapgood 2005-10-25 18:52:14 UTC
Furthermore, there is no support for NAT traversal.  Not to hard to add, 
though.  First, automatic keying is implied with NAT -only really an issue for 
the GUI.  Second, the "nat_traversal on" statement must be included in the 
generated racoon file (trivial).  Third, the policy requirement for AH must be 
removed -by testing for the presence of AH_KEY_IN/OUT just like in the manual 
keying section.

I would think a variable like NAT=YES in ipsec-<my config> would be a good 


Comment 3 Bill Nottingham 2006-05-23 19:19:12 UTC
Should be fixed in 8.34-1.

Comment 4 Kapetanakis Giannis 2010-02-07 14:28:18 UTC
Hi all,

I think this is a good place to comment:

Fedora 12

NAT support is not there yet. We have to add manually in ifup-ipsec
nat_traversal on;

Disabling AH is more easy by adding AH_PROTO=none in ifcfg-ipsecX file.

best regards,