From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040623 Description of problem: (Some history: after fighting for hours apon hours with freeswan, I have dumped it as a pointless exercise, and am now trying cold with using ipsec-tools. The following point of view is from someone who has used freeswan in the past, but never ipsec-tools) My need is to set up a network-to-network VPN between two machines, one a permanent gateway with a permanant fixed IP address, the second a road warrior with dynamic IP address. The documentation at http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-guide/s1-ipsec-net2net.html is the only Redhat supplied documentation I can find. The actual ipsec-tools package contains no useful documentation. This documentation describes parts of a theoretical racoon.conf file. It does not show an actual practical working example. As a result, I still have no idea what I should put into racoon.conf in order to achieve the above. From googling extensively, the "anonymous" section seems to be significant, but no documentation tells me how these sections are significant. In addition, the gateway will need to somehow start up racoon as a daemon, so that it can listen on port 500 and accept connections from the road warrior. The documentation seems to indicate how to initiate a session, but it does not indicate how to start up racoon as a daemon. The ipsec-tools package does not include an init.d startup script, nor is it listed by chkconfig. I as a user have no idea how to start ipsec up. If these shortcomings in the documentation could be fixed so as to properly explain what to do (as opposed to just mention what can be done) it will make the lives of normal administrators like me significantly easier. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: xxx Additional info:
Have you tried using the network configuration tool?
Yes (in a test environment) - the network config tool ipsec configuration is entirely undocumented. It asks for IP addresses and netmasks without indicating which IP address or netmask it is asking for (from experience with freeswan, I am aware that there are lots of different options for this). Typing in likely information in the hope of seeing where the data gets placed in the ifcfg-ipsec0 file turned out to be a waste of time, as redhat-config-network crashed on save because it could not handle the fact that there was a file called ifcfg-lo.rpmsave in the network-scripts directory, which is a separate bug that I'll file once I get this VPN to work and our network back online. But back to the original bug report: redhat-config-network is not a substitute for incomplete and incorrect documentation, and in my case one target machine is across town, the other target machine is on the other side of the planet, and the text mode version of redhat-config-network is a completely separate program that doesn't operate anything like the gui version.
Thank you for your feedback. We apologize for any issues you may have with the IPsec section of our documentation. An IPSec connection is initialized using 'ifup', as noted in the documentation. The 'racoon' daemon is automatically run as part of the initialization of the connection. Refer to the bottom of the /etc/sysconfig/network-scripts/ifup-ipsec file for details. During our testing, the default racoon.conf file was used and not modified from the original values. We are in the process of editing this particular chapter of the Red Hat Enterprise Linux Security Guide and will be sure to clarify those default settings of the racoon.conf file. From what I can gather, however, it appears that you want to link two machines directly. That is, you are connecting your road warrior machine directly to the gateway. If that is the case, a host-to-host connection could serve your needs. That being said, I am not sure that IPsec can be configured (whether network-to-network or host-to-host) using dynamic IP addresses without some custom scripting solution on the gateway end to determine the road warrior's IP address and establish the connection. Thanks again for your report. I am closing this bug with the resolution of NEXTRELEASE, as the details of the racoon.conf default settings will be included in the next release of the Red Hat Enterprise Linux Security Guide.