ipsec RTNETLINK problem

[bpolley]

Hi All

Im having a problem setting up a network - network ipsec tunnel

I have set everything up as per the deployment guide and enabled ip_forwarding in /etc/sysctl.conf

when I do a ifup ipsec0 I get
RTNETLINK answers: Invalid argument

sh -x ifup ipsec0
+ unset WINDOW
+ . /etc/init.d/functions
++ TEXTDOMAIN=initscripts
++ umask 022
++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
++ export PATH
++ '[' -z '' ']'
++ COLUMNS=80
++ '[' -z '' ']'
+++ /sbin/consoletype
++ CONSOLETYPE=pty
++ '[' -f /etc/sysconfig/i18n -a -z '' ']'
++ . /etc/profile.d/lang.sh
+++ sourced=0
+++ for langfile in /etc/sysconfig/i18n '$HOME/.i18n'
+++ '[' -f /etc/sysconfig/i18n ']'
+++ . /etc/sysconfig/i18n
++++ LANG=en_US.UTF-8
++++ SYSFONT=latarcyrheb-sun16
+++ sourced=1
+++ for langfile in /etc/sysconfig/i18n '$HOME/.i18n'
+++ '[' -f /home/bpolley/.i18n ']'
+++ '[' -n '' ']'
+++ '[' 1 = 1 ']'
+++ '[' -n en_US.UTF-8 ']'
+++ export LANG
+++ '[' -n '' ']'
+++ unset LC_ADDRESS
+++ '[' -n '' ']'
+++ unset LC_CTYPE
+++ '[' -n '' ']'
+++ unset LC_COLLATE
+++ '[' -n '' ']'
+++ unset LC_IDENTIFICATION
+++ '[' -n '' ']'
+++ unset LC_MEASUREMENT
+++ '[' -n '' ']'
+++ unset LC_MESSAGES
+++ '[' -n '' ']'
+++ unset LC_MONETARY
+++ '[' -n '' ']'
+++ unset LC_NAME
+++ '[' -n '' ']'
+++ unset LC_NUMERIC
+++ '[' -n '' ']'
+++ unset LC_PAPER
+++ '[' -n '' ']'
+++ unset LC_TELEPHONE
+++ '[' -n '' ']'
+++ unset LC_TIME
+++ '[' -n '' ']'
+++ unset LC_ALL
+++ '[' -n '' ']'
+++ unset LANGUAGE
+++ '[' -n '' ']'
+++ unset LINGUAS
+++ '[' -n '' ']'
+++ unset _XKB_CHARSET
++++ /sbin/consoletype
+++ consoletype=pty
+++ '[' -n '' ']'
+++ '[' -n '' ']'
+++ '[' -n en_US.UTF-8 ']'
+++ case $LANG in
+++ '[' xterm = linux ']'
+++ unset SYSFONTACM SYSFONT
+++ unset sourced
+++ unset langfile
++ '[' -z '' ']'
++ '[' -f /etc/sysconfig/init ']'
++ . /etc/sysconfig/init
+++ BOOTUP=color
+++ GRAPHICAL=yes
+++ RES_COL=60
+++ MOVE_TO_COL='echo -en \033[60G'
+++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
+++ SETCOLOR_FAILURE='echo -en \033[0;31m'
+++ SETCOLOR_WARNING='echo -en \033[0;33m'
+++ SETCOLOR_NORMAL='echo -en \033[0;39m'
+++ LOGLEVEL=3
+++ PROMPT=yes
+++ AUTOSWAP=no
++ '[' pty = serial ']'
++ '[' color '!=' verbose ']'
++ INITLOG_ARGS=-q
++ __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave \)$/d'
+ cd /etc/sysconfig/network-scripts
+ . ./network-functions
++ PATH=/sbin:/usr/sbin:/bin:/usr/bin
++ export PATH
++ '[' -z '/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave \)$/d' ']'
+ '[' -f ../network ']'
+ . ../network
++ NETWORKING=yes
++ NETWORKING_IPV6=yes
++ HOSTNAME=red1.underworld.loc
+ CONFIG=ipsec0
+ '[' -z ipsec0 ']'
+ need_config ipsec0
+ local nconfig
+ CONFIG=ifcfg-ipsec0
+ '[' -f ifcfg-ipsec0 ']'
+ return
+ '[' -f ifcfg-ipsec0 ']'
+ '[' 0 '!=' 0 ']'
+ source_config
++ basename ifcfg-ipsec0
++ sed 's/^ifcfg-//g'
+ DEVNAME=ipsec0
+ echo ifcfg-ipsec0
+ grep -q '[^g]-'
+ . ifcfg-ipsec0
++ TYPE=IPSEC
++ ONBOOT=no
++ IKE_METHOD=PSK
++ SRCGW=192.168.11.1
++ DSTGW=172.16.16.111
++ SRCNET=192.168.11.0/24
++ DSTNET=172.16.16.0/24
++ DST=xxx.xxx.xxx.xxx
+ '[' -r keys-ipsec0 ']'
+ . keys-ipsec0
++ IKE_PSK=xxxxxxxxxx
+ case "$TYPE" in
+ DEVICETYPE=ipsec
+ '[' -z ipsec ']'
+ '[' -z '' -a -n '' ']'
+ '[' -z '' ']'
+ REALDEVICE=
+ '[' '' '!=' '' ']'
+ ISALIAS=no
+ '[' -n '' ']'
+ '[' -n '' ']'
+ '[' foo = fooboot ']'
+ '[' -n '' ']'
+ '[' -n '' -a IPSEC = Bridge ']'
+ '[' -x /sbin/vconfig -a '' = yes -a no = no ']'
+ '[' '' = yes ']'
+ '[' '' = bootp -o '' = dhcp ']'
+ '[' -x /sbin/ifup-pre-local ']'
+ OTHERSCRIPT=/etc/sysconfig/network-scripts/ifup-ipsec
+ '[' '!' -x /etc/sysconfig/network-scripts/ifup-ipsec ']'
+ exec /etc/sysconfig/network-scripts/ifup-ipsec ifcfg-ipsec0
RTNETLINK answers: Invalid argument

Any help would be greatly appreciated.

Thanks,

[bpolley]

I did try a suggestion in this forum

Quote:

The /etc/sysconfig/network-scripts/ifup-ipsec script is incorrect.

The src has to be local to the box, or ip route will fail.

For IPSEC tunnels I use the local ip on the internal side of the endpoint to use as the source. eg., if your firewall/endpoint has two interfaces, eth0 on the local network 192.168.1.1, and eth1 on the internet 24.24.24.24, use 192.168.1.1 for the src address.

To fix this edit the script as follows.

At about line 111 add the following:
if [ -z "$FSRC" ]; then
FSRC=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
fi


Then at about line 154 & 209 change:
ip route add to $DSTNET via $SRCGW src $SRCGW
to
ip route add to $DSTNET via $SRCGW src $FSRC

Now I get the following at the last 4 lines

+ OTHERSCRIPT=/etc/sysconfig/network-scripts/ifup-ipsec
+ '[' '!' -x /etc/sysconfig/network-scripts/ifup-ipsec ']'
+ exec /etc/sysconfig/network-scripts/ifup-ipsec ifcfg-ipsec0
Command line is not complete. Try option "help"