ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000037ClearOSapp-ipsec - IPsec Enginepublic2010-03-04 15:122013-01-31 13:50
Reporterdsokoloski 
Assigned Touser2 
PrioritynormalSeverityminorReproducibilitysometimes
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.1 
Target Version5.2Fixed in Version5.2 
Summary0000037: IPsec workaround may cause issues for Samba when "bind interfaces only" is enabled
DescriptionThe following combination will cause file sharing to be inaccessible from the LAN:

- Gateway mode
- Samba file sharing enabled
- IPsec VPN enabled
- WAN interface using an alphabetically higher network interface than the LAN interface

Here is the sequence of events. When an IPsec connection comes up, the source IP of the LAN interface is (sometimes?) added to the external WAN interface (e.g. ip addr add 192.168.4.1 dev ppp0). So an example LAN interface looks like:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:1c:23:c5:b4:e6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 brd 192.168.4.255 scope global eth1
    inet6 fe80::21c:23ff:fec5:b4e6/64 scope link
       valid_lft forever preferred_lft forever

And an example WAN interface looks like:

18: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 1.2.3.4 peer 1.2.3.1/32 scope global ppp0
    inet 192.168.4.1/24 scope global ppp0

Note the odd 192.168.4.1 interface that now exists on our ppp0 DSL WAN interface. According to the OpenSwan script, this was required as a workaround to "solve SNAT/MASQUERADE problems with recent # 2.6.x kernels." There is a mystery bug reference #66215 with a commit log date November 26, 2005.

In the Samba configuration, the following settings have been set:

bind interfaces only = Yes
interfaces = lo eth1

Internally, Samba processes this request by:

- Probing the interfaces on the system
- Sorting the interfaces according to addresses
- Discarding duplicates

Depending on the ordering, the request to bind on eth1 (with IP 192.168.4.1 in the example) no longer exists.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000163)
user2
2010-06-02 19:56

Source Code Changelog
---------------------------------------------------
- Removed old workaround since it causes grief for Samba [fixed tracker 0000037]

File Changes
---------------------------------------------------
U legacy/modules/trunk/app-ipsec/updown.app

- Issue History
Date Modified Username Field Change
2010-03-04 15:12 user2 New Issue
2010-03-04 15:12 user2 Reporter user2 => dsokoloski
2010-03-04 15:12 user2 Status new => confirmed
2010-03-04 15:20 user2 Description Updated
2010-03-04 15:22 user2 Description Updated
2010-03-04 15:22 user2 Description Updated
2010-06-02 19:56 user2 Checkin
2010-06-02 19:56 user2 Note Added: 0000163
2010-06-02 19:56 user2 Status confirmed => resolved
2010-06-02 19:56 user2 Resolution open => fixed
2010-06-02 19:56 user2 Fixed in Version => 5.2
2010-06-02 19:56 user2 Target Version => 5.2
2010-06-02 19:57 user2 Status resolved => assigned
2010-06-02 19:57 user2 Assigned To => user2
2010-06-02 19:57 user2 Status assigned => resolved
2010-07-14 16:42 user2 Status resolved => closed
2013-01-31 13:49 user2 Category app-ipsec - IPsec VPN => (No Category)
2013-01-31 13:50 user2 Category (No Category) => app-ipsec - IPsec Engine