Bug 138175

Summary: host-to-host IPsec configuration unusable
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: system-config-networkAssignee: Harald Hoyer <harald>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-19 11:00:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ulrich Drepper 2004-11-05 09:58:15 UTC 
Description of problem:
Installing an IPsec connection between two hosts with manual keys is not
possible with the dialogs.  The problem is that s-c-n (for good reasons!) uses
different keys for both directions.  Setting up the first host is nice and easy.
 Select the host-to-host configuration, and generate AH/ESP keys.  This data can
be stored.  But what to do on the other side?  It is not correct to copy&paste
the keys generated on the first host since this would result is exactly the same
ifcfg-* file as  on the first host.  The correct form needs that the SPI_*_IN
variables are renamed SPI_*_OUT and vice versa.  The input of the one side is
the output of the other side.

Version-Release number of selected component (if applicable):
system-config-network-1.3.22-1

How reproducible:
always

Steps to Reproduce:
1.edit new IPsec connection
2.generate new keys on one system
3.try to set up the other side on a second system
  
Actual results:
cannot be done

Expected results:
working IPsec connection

Additional info:
I don't have a patch.  And solving this might create hard to use GUI.  Perhaps a
reasonable solution would be to add a select box label "reverse connection" or
so which, if selected, would perhaps the aforementioned _IN/_OUT renaming.
Comment 1 David Martin 2005-01-13 19:56:51 UTC 
I also ran into this problem and agree with Ulrich's summary.  Though
it looks to me like the problem is in 
redhat-config-network-tui-1.2.63-1.

You can fix the connection by manually editing one of the generated
ifcfg- files and swapping the SPI_*_IN with SPI_*_OUT.  But
redhat-config-network is eager to overwrite that file, so it's a
fairly fragile workaround.

One possibly workable automatic solution is to compare the
local/remote IP addresses in redhat-config-network.  If local < remote
then swap the IN/OUT in the ifcfg file, otherwise don't.  Doesn't deal
with the case where local=remote, which one might conceivably want to
use for testing purposes or something, but that's likely to be rare.