Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155149 - Transport mode (Host to Host) IPsec configured with system-config-network will not work
Summary: Transport mode (Host to Host) IPsec configured with system-config-network wil...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: system-config-network
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard:
: 155148 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-17 05:39 UTC by Michael Kearey
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-11-21 08:49:44 UTC


Attachments (Terms of Use)
Altered ifup-ipsec file (deleted)
2005-04-17 05:41 UTC, Michael Kearey
no flags Details
A patch file to make the change (deleted)
2005-04-17 05:43 UTC, Michael Kearey
no flags Details

Description Michael Kearey 2005-04-17 05:39:21 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050322 Firefox/1.0.2 Red Hat/1.0.2-1.4.1

Description of problem:
The system-config-network tool with the choices for both hosts:

Nickname: ipsec0
Host to Host Encryption
Manual with a fixed key (use the same keys in both hosts)
Provide the IP address of the end point (s) at each host

After running ifup ipsec0 on both hosts, I can see packets leaving for the IPsec host to host destination, and arriving at the destination with tcpdump. They appear to be encapsulated ok, but tcp communications seems to be impossible. It does not work.

I altered the /etc/sysconfig/network-scripts/ifup-ipsec file (See the attached one) and it now works. SPI_AH_IN and SPI_AH_OUT, and SPI_ESP_IN and SPI_ESP_OUT  seem to be round the wrong way. 


Version-Release number of selected component (if applicable):
initscripts-7.93.11.EL-1  

How reproducible:
Always

Steps to Reproduce:
1.Run system-config-network to configure host to host encryption
2. Do ifup ipsec0 on the two hosts
3. Try sending and receiving packets to and from the two hosts
  

Actual Results:  No tcp communication through the encrypted link can happen

Expected Results:  tcp communication should work

Additional info:

Note that I have not tested any other configurations, just the host to host 'transport' mode.

This affects Red Hat Enterprise Linux 3, 4 and Fedora Core.

Comment 1 Michael Kearey 2005-04-17 05:41:42 UTC
Created attachment 113278 [details]
Altered ifup-ipsec file

Altered ifup-ipsec file to 'make it work'

Comment 2 Michael Kearey 2005-04-17 05:43:24 UTC
Created attachment 113279 [details]
A patch file to make the change

Feeble patch that changes four lines..

Comment 3 Michael Kearey 2005-04-17 10:07:18 UTC
*** Bug 155148 has been marked as a duplicate of this bug. ***

Comment 4 Bill Nottingham 2005-04-18 15:40:28 UTC
Assigning to s-c-network; looks like it wrote a bad config.

Comment 5 RHEL Product and Program Management 2006-08-18 17:44:25 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 7 Harald Hoyer 2006-11-15 11:27:20 UTC
err... are you sure you reversed the IN and OUT on one side? I think this is a
configuration error, not a software bug. Please attach the
/etc/sysconfig/networking/ifcfg-* files of both sides.

Comment 8 Michael Kearey 2006-11-21 06:44:01 UTC
Hi,

Looks like there has been a whole lot of work done since this bug was reported.
I used the latest s-c-network and configured a Host to Host manaual connect and
it works straight away. 

Close as NOTABUG ??

Cheers


Note You need to log in before you can comment on or make changes to this bug.