Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 168972 - IPSec initscript ESP/AH issues
Summary: IPSec initscript ESP/AH issues
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
Depends On: 122452
Blocks: FC5Target
TreeView+ depends on / blocked
Reported: 2005-09-21 19:18 UTC by Bill Nottingham
Modified: 2014-03-17 02:56 UTC (History)
5 users (show)

Fixed In Version: 8.36-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-07-21 18:29:39 UTC

Attachments (Terms of Use)

Description Bill Nottingham 2005-09-21 19:18:12 UTC
+++ This bug was initially created as a clone of Bug #122452 +++

Description of problem:

The IPSec VPN functionality within the Red Hat Linux ES distribution 
doesn't allow the configuration of VPN tunnels using ESP _or_ AH. It 
automatically creates a policy for both ESP and AH. Certain VPN 
servers like Netscreen and many others will accept either ESP or AH, 
but not both.

In order to create a "lan to lan" VPN between a netscreen VPN server 
and a Red Hat Linux ES server the following changes had to be made:

line 196 - 208 of /etc/sysconfig/network-scripts/ifup-ipsec contains 
the following:
      /sbin/setkey -c >/dev/null 2>&1 << EOF        
spddelete $SRCNET $DSTNET any -P out;             
spddelete $DSTNET $SRCNET any -P in;             
spdadd $SRCNET $DSTNET any -P out ipsec     
spdadd $DSTNET $SRCNET any -P in ipsec                    

Make the follwing change to the above section (Lan2Lan):
      /sbin/setkey -c >/dev/null 2>&1 << EOF        
spddelete $SRCNET $DSTNET any -P out;             
spddelete $DSTNET $SRCNET any -P in;             
spdadd $SRCNET $DSTNET any -P out ipsec     
spdadd $DSTNET $SRCNET any -P in ipsec                    

The above file changes will only affect "LAN to LAN" VPN's as there 
are configuration directives for both "Host to Host" VPN's as well. 
The following question could propose the way forward:

Is it possible that there should be a setting in the ifcfg-
{interface} file that specifies weather or not ESP and AH should be 



Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Create VPN between Red Hat Enterprise Linux ES and a hardware VPN 
device or any other VPN server.

Actual results:
Tunnels don't come up

Expected results:
Tunnels should come up

Additional info:
This is also a problem on Fedora Core 2 test3

-- Additional comment from on 2004-11-12 22:16 EST --
I ran into this same problem expect both end points for my vpn's are
FC2 boxes. Updating ifup-ipsec not to add the AH entries to the SPD
resolved the problem.

two FC2 boxes, IKE=PSK, Network-to-Network tunnel.

-- Additional comment from on 2005-05-20 15:42 EST --
Created an attachment (id=114650)
Make AH and ESP optional

I've found couple of problems with the previous patch.
 - manual keying was buggy
 - only ESP encryption with manual keying was possible (no auth)
 - couple of things cleaned
 - couple of typos fixed

This verion of patch will allow encryption+auth with ESP.  If KEY_AESP variable
is set (or separate keys for IN and OUT like all other keys), authentication
keys for ESP will be added when maunal keying is used.	If both AH and ESP are
used, authentication keys for ESP will be different than those for AH (for
those that like to do things twice).

This patch is against initscripts 7.93.11.  To make it fully work, at least
route fix from bug #146169 should also be added to the script.	Optionally, fix
for overlapping networks might also be needed in some cases (bug #150862).  It
should be fairly trivial to incorporate those two fixes into this patch.

Also, I'm using ipsec-tools 0.5 (from
 Seems that new version of racoon wants certificate type to be specified in
peers_certfile command.  Added it into the patch (I don't know if old racoon
allows x509 keyword on peers_certfile line, but the new one requires it).  This
change in configuration file syntax is not documented in the manual page, Bill
might want to update it.

What else...  Hm, nothing I could remember right now...  I'm on vacation next
week, so I guess I will not bombard you with updated versions of the patch ;-)

-- Additional comment from on 2005-05-20 16:25 EST --
Created an attachment (id=114653)
AH/ESP option + route + overlapping networks patch

This is what I actually use currently.	It has fixes for routes and overlapping
networks included (well, Bill doesn't really like this approach for overlapping
networks, but it is easy to change to whatever will be final solution).

Comment 1 Aleksandar Milivojevic 2005-09-21 19:57:00 UTC
Bill Nottingham wrote:
> Is it possible that there should be a setting in the ifcfg-
> {interface} file that specifies weather or not ESP and AH should be
> used?

Of course it is.  I sent a patch months ago that does exactly that (I believe it
was against RHEL4 and clones).  It allows the use of either AH, or ESP, or both.
 It also cleans up ifup-ipsec and ifdown-ipsec considerably by using conditional
variable substitutions (the old scripts used them too, but not everywhere they
could be used, resulting (if I remember correctly) in some duplicated code that
started showing first signs of inconsistencies).

I do remember that it worked very nicely with small Linksys VPN routers on the
other end (they support either AH or ESP, but not both), however I haven't been
using it lately.  Lately I was mostly doing Linux-to-linux VPNs, and because of
the bugs in Netfilter moved to IPSec over GRE approach (with complete new set of
scripts).  I liked having interfaces I can route to so much, I'm using that
approach wherever possible.  The 2.6 kernel's hidden/implicit IPSec routing
simply sucks.  Complicates things too much without any real benefit.  If anybody
is interested, I might even start working on a version of patch that would also
allow one to configure GRE and/or IPSec over GRE in ifcfg-* files, which could
possibly add hole new area of interoperability with big Cisco routers ;-)

Comment 2 Aleksandar Milivojevic 2005-09-21 20:17:17 UTC
Ah, I just realized the above was not was Notting wrote, it was from original
bug report.  Ah, shame on me, and so on, and so forth O:-)

Anyhow, I believe the change is small enough to be incorporated as patch against
EL4 and recent Fedora releases.  Don't see why EL3 would be show stopper for EL4.

Comment 3 Miloslav Trmač 2006-07-09 00:05:47 UTC
Fixed in CVS. Thanks for the patch!

Comment 4 Bill Nottingham 2006-07-21 18:29:39 UTC
Built as 8.36-1.

Note You need to log in before you can comment on or make changes to this bug.