ClearFoundation Tracker - ClearOS
View Issue Details
0000037ClearOSapp-ipsec - IPsec Enginepublic2010-03-04 15:122013-01-31 13:50
0000037: IPsec workaround may cause issues for Samba when "bind interfaces only" is enabled
The following combination will cause file sharing to be inaccessible from the LAN:

- Gateway mode
- Samba file sharing enabled
- IPsec VPN enabled
- WAN interface using an alphabetically higher network interface than the LAN interface

Here is the sequence of events. When an IPsec connection comes up, the source IP of the LAN interface is (sometimes?) added to the external WAN interface (e.g. ip addr add dev ppp0). So an example LAN interface looks like:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:1c:23:c5:b4:e6 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
    inet6 fe80::21c:23ff:fec5:b4e6/64 scope link
       valid_lft forever preferred_lft forever

And an example WAN interface looks like:

18: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast qlen 3
    inet peer scope global ppp0
    inet scope global ppp0

Note the odd interface that now exists on our ppp0 DSL WAN interface. According to the OpenSwan script, this was required as a workaround to "solve SNAT/MASQUERADE problems with recent # 2.6.x kernels." There is a mystery bug reference #66215 with a commit log date November 26, 2005.

In the Samba configuration, the following settings have been set:

bind interfaces only = Yes
interfaces = lo eth1

Internally, Samba processes this request by:

- Probing the interfaces on the system
- Sorting the interfaces according to addresses
- Discarding duplicates

Depending on the ordering, the request to bind on eth1 (with IP in the example) no longer exists.
No tags attached.
Issue History
2010-03-04 15:12user2New Issue
2010-03-04 15:12user2Reporteruser2 => dsokoloski
2010-03-04 15:12user2Statusnew => confirmed
2010-03-04 15:20user2Description Updated
2010-03-04 15:22user2Description Updated
2010-03-04 15:22user2Description Updated
2010-06-02 19:56user2Checkin
2010-06-02 19:56user2Note Added: 0000163
2010-06-02 19:56user2Statusconfirmed => resolved
2010-06-02 19:56user2Resolutionopen => fixed
2010-06-02 19:56user2Fixed in Version => 5.2
2010-06-02 19:56user2Target Version => 5.2
2010-06-02 19:57user2Statusresolved => assigned
2010-06-02 19:57user2Assigned To => user2
2010-06-02 19:57user2Statusassigned => resolved
2010-07-14 16:42user2Statusresolved => closed
2013-01-31 13:49user2Categoryapp-ipsec - IPsec VPN => (No Category)
2013-01-31 13:50user2Category(No Category) => app-ipsec - IPsec Engine

2010-06-02 19:56   
Source Code Changelog
- Removed old workaround since it causes grief for Samba [fixed tracker 0000037]

File Changes
U legacy/modules/trunk/app-ipsec/