Anonymous | Login | 2024-11-21 01:46 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000037 | ClearOS | app-ipsec - IPsec Engine | public | 2010-03-04 15:12 | 2013-01-31 13:50 | ||||
Reporter | dsokoloski | ||||||||
Assigned To | user2 | ||||||||
Priority | normal | Severity | minor | Reproducibility | sometimes | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 5.1 | ||||||||
Target Version | 5.2 | Fixed in Version | 5.2 | ||||||
Summary | 0000037: IPsec workaround may cause issues for Samba when "bind interfaces only" is enabled | ||||||||
Description | The following combination will cause file sharing to be inaccessible from the LAN: - Gateway mode - Samba file sharing enabled - IPsec VPN enabled - WAN interface using an alphabetically higher network interface than the LAN interface Here is the sequence of events. When an IPsec connection comes up, the source IP of the LAN interface is (sometimes?) added to the external WAN interface (e.g. ip addr add 192.168.4.1 dev ppp0). So an example LAN interface looks like: 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:1c:23:c5:b4:e6 brd ff:ff:ff:ff:ff:ff inet 192.168.4.1/24 brd 192.168.4.255 scope global eth1 inet6 fe80::21c:23ff:fec5:b4e6/64 scope link valid_lft forever preferred_lft forever And an example WAN interface looks like: 18: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 1.2.3.4 peer 1.2.3.1/32 scope global ppp0 inet 192.168.4.1/24 scope global ppp0 Note the odd 192.168.4.1 interface that now exists on our ppp0 DSL WAN interface. According to the OpenSwan script, this was required as a workaround to "solve SNAT/MASQUERADE problems with recent # 2.6.x kernels." There is a mystery bug reference #66215 with a commit log date November 26, 2005. In the Samba configuration, the following settings have been set: bind interfaces only = Yes interfaces = lo eth1 Internally, Samba processes this request by: - Probing the interfaces on the system - Sorting the interfaces according to addresses - Discarding duplicates Depending on the ordering, the request to bind on eth1 (with IP 192.168.4.1 in the example) no longer exists. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0000163) user2 2010-06-02 19:56 |
Source Code Changelog --------------------------------------------------- - Removed old workaround since it causes grief for Samba [fixed tracker 0000037] File Changes --------------------------------------------------- U legacy/modules/trunk/app-ipsec/updown.app |