Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 166257 - ipsec VPN problems caused by some code in ifup-ipsec
Summary: ipsec VPN problems caused by some code in ifup-ipsec
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2005-08-18 12:28 UTC by Tarhon-Onu Victor
Modified: 2014-03-17 02:55 UTC (History)
4 users (show)

Fixed In Version: 8.34-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-23 19:19:12 UTC


Attachments (Terms of Use)
A quick fix that works (deleted)
2005-08-18 12:38 UTC, Tarhon-Onu Victor
no flags Details | Diff

Description Tarhon-Onu Victor 2005-08-18 12:28:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Fedora/1.7.10-1.3.1

Description of problem:
There are some problems getting up an IPSec VPN because of the following lines in ifup-ipsec:
== cut here ==
     [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
     [ "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] && KEY_AH_OUT=\"$KEY_AH_OUT\"
     [ "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] && KEY_ESP_IN=\"$KEY_ESP_IN\"
     [ "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
== and here ==

Me I use ESP protocol, not AH, so the lines concerning any AH setting (keys, encription protocols, etc is left blank.

But, somewhere below these lines, in ifup-ipsec, there are lines like the following:
== cut here ==
# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
== and here ==
So if the variables KEY_AH_{IN,OUT} are set ok we add the right lines in the output we send to setkey. But if, say, KEY_AH_IN is null (or does not begin with "0x") then:
[ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
...and $KEY_AH_IN is now set to '""' causing the following output to be sent to setkey:
== cut here ==
# AH
add $DST $SRC ah $SPI_AH_IN -A  AH_PROTO_IN "";
add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT "";
== and here ==

Of course, setkey will exit due to syntax errors and will fail to set the security policies which follow.

Version-Release number of selected component (if applicable):
initscripts-8.11.1-1 (FC4, current fedora core devel)

How reproducible:
Always

Steps to Reproduce:
1. Configure a ipsec tunnel in /etc/sysconfig/network-scripts/ifcfg-ipsec0 using one of the AH os ESP protocols;
2. run ifup ipsec0 as root;
3. run setkey -DP and notice that no policies are set.
  

Actual Results:  setkey exists prematurely doe to syntax errors caused by missevaluation of some variables.

Expected Results:  The output:
== cut here ==
# AH
add $DST $SRC ah $SPI_AH_IN -A  AH_PROTO_IN "";
add $SRC $DST ah $SPI_AH_OUT -A AH_PROTO_OUT "";
== and here ==
should never be generated (in out particular example) and setkey will finish its job.


Additional info:

The way how the variables $KEY_ are evaluated has to be changed. These variables have to be hex strings (begining with 0x) or double quoted character strings and the tests do check this but also a not-null test should be performed.

I also modified a version of ifup-ipsec to write in a file (/tmp/ipsecvpn.setkey) everything it sends to setkey and it's available <a href="ftp://blackblue.iasi.rdsnet.ro/pub/various/i/ifup-ipsec-debug">here</a>.

Comment 1 Tarhon-Onu Victor 2005-08-18 12:38:28 UTC
Created attachment 117866 [details]
A quick fix that works

This is a patch for ifup-ipsec that also add checking for
$KEY_{AH,ESP}_{IN,OUT} against null values.

Comment 2 Chris Hapgood 2005-10-25 18:52:14 UTC
Furthermore, there is no support for NAT traversal.  Not to hard to add, 
though.  First, automatic keying is implied with NAT -only really an issue for 
the GUI.  Second, the "nat_traversal on" statement must be included in the 
generated racoon file (trivial).  Third, the policy requirement for AH must be 
removed -by testing for the presence of AH_KEY_IN/OUT just like in the manual 
keying section.

I would think a variable like NAT=YES in ipsec-<my config> would be a good 
approach.

-Chris

Comment 3 Bill Nottingham 2006-05-23 19:19:12 UTC
Should be fixed in 8.34-1.

Comment 4 Kapetanakis Giannis 2010-02-07 14:28:18 UTC
Hi all,

I think this is a good place to comment:

initscripts-9.02.1-1.i686
Fedora 12

NAT support is not there yet. We have to add manually in ifup-ipsec
nat_traversal on;

Disabling AH is more easy by adding AH_PROTO=none in ifcfg-ipsecX file.

best regards,

Giannis


Note You need to log in before you can comment on or make changes to this bug.