Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159343 - ifdown-ipsec doesn't handle more then one tunneled network between two hosts well
Summary: ifdown-ipsec doesn't handle more then one tunneled network between two hosts ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: initscripts
Version: 4.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-01 20:08 UTC by Sean E. Millichamp
Modified: 2014-03-17 02:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-08 22:00:24 UTC


Attachments (Terms of Use)

Description Sean E. Millichamp 2005-06-01 20:08:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.2-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4

Description of problem:
If you have two directly attached networks on server A that you want to IPSec tunnel to server B you would need two config files:

ifcfg-net1 (on server A):
IKE_METHOD=PSK
DSTNET=192.168.2.0/24
SRCNET=192.168.1.0/24
DST=1.2.3.4
TYPE=IPSEC

Now, this works as it should (ignoring bug #146169 for a moment).

But if you add this:
ifcfg-net2 (on server A):
IKE_METHOD=PSK
DSTNET=192.168.2.0/24
SRCNET=10.10.10.0/24  <--- SRCNET changed
DST=1.2.3.4
TYPE=IPSEC

Now here is where you start to have problems.  You can 'ifup net1' and then 'ifup net2' without problems.  But then if you 'ifdown net1' then ifdown-ipsec removes the "include /etc/racoon/$DST.conf" line from /etc/racoon/racoon.conf which is still needed to support net2.

Since racoon get's HUPped, bringing down the one interface immediately starts to cause problems for the second interface.

There should be some mechanism to support this type of configuration.

Version-Release number of selected component (if applicable):
initscripts-7.93.11.EL-1

How reproducible:
Always

Steps to Reproduce:
1. Design tunnelled network as described above
2. ifup network1; ifup network2
3. ifdown network1
4. Try to access network2


Expected Results:  The RHEL IPSec implementation apparently supports this type of configuration without trouble.  The configuration scripts should handle this cleanly.

Additional info:

Until such time as this and other IPSec related initscript bugs gets fixed I've decided to setup GRE tunnels and run them over a host-to-host IPSec connection.  I've tested it a little and it seems to work well.  This might be an acceptable workaround for anyone else hitting this as a problem.

Comment 1 Bill Nottingham 2005-09-21 21:10:07 UTC
Thanks for filing this report. I'm marking this bug as ASSIGNED since it's
correctly assigned to me. However, this isn't very high in my priority queue,
and is unlikely to get fixed in the very near future. If this issue is important
to you, please contact Red Hat Support to get it escalated. Apologies for the
inconvenience.



Comment 2 Miloslav Trmač 2006-11-15 01:49:14 UTC
initscripts in Fedora development will support specifying KEYING=automatic
without IKE_* to indicate the racoon configuration is managed manually and the
scripts
shouldn't touch racoon.conf.

Comment 3 Bill Nottingham 2008-12-08 22:00:24 UTC
Closing as WONTFIX for RHEL 4; this is unlikely to ever change for RHEL 4, but it's fixed in later releases.


Note You need to log in before you can comment on or make changes to this bug.