Red Hat Bugzilla – Bug 126859
Usability: red hat documentation for ipsec-tools missing/incomplete
Last modified: 2014-08-04 18:14:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040623
Description of problem:
(Some history: after fighting for hours apon hours with freeswan, I
have dumped it as a pointless exercise, and am now trying cold with
using ipsec-tools. The following point of view is from someone who has
used freeswan in the past, but never ipsec-tools)
My need is to set up a network-to-network VPN between two machines,
one a permanent gateway with a permanant fixed IP address, the second
a road warrior with dynamic IP address. The documentation at
is the only Redhat supplied documentation I can find. The actual
ipsec-tools package contains no useful documentation.
This documentation describes parts of a theoretical racoon.conf file.
It does not show an actual practical working example. As a result, I
still have no idea what I should put into racoon.conf in order to
achieve the above. From googling extensively, the "anonymous" section
seems to be significant, but no documentation tells me how these
sections are significant.
In addition, the gateway will need to somehow start up racoon as a
daemon, so that it can listen on port 500 and accept connections from
the road warrior. The documentation seems to indicate how to initiate
a session, but it does not indicate how to start up racoon as a
daemon. The ipsec-tools package does not include an init.d startup
script, nor is it listed by chkconfig. I as a user have no idea how to
start ipsec up.
If these shortcomings in the documentation could be fixed so as to
properly explain what to do (as opposed to just mention what can be
done) it will make the lives of normal administrators like me
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Have you tried using the network configuration tool?
Yes (in a test environment) - the network config tool ipsec
configuration is entirely undocumented. It asks for IP addresses and
netmasks without indicating which IP address or netmask it is asking
for (from experience with freeswan, I am aware that there are lots of
different options for this).
Typing in likely information in the hope of seeing where the data gets
placed in the ifcfg-ipsec0 file turned out to be a waste of time, as
redhat-config-network crashed on save because it could not handle the
fact that there was a file called ifcfg-lo.rpmsave in the
network-scripts directory, which is a separate bug that I'll file once
I get this VPN to work and our network back online.
But back to the original bug report: redhat-config-network is not a
substitute for incomplete and incorrect documentation, and in my case
one target machine is across town, the other target machine is on the
other side of the planet, and the text mode version of
redhat-config-network is a completely separate program that doesn't
operate anything like the gui version.
Thank you for your feedback. We apologize for any issues you may have
with the IPsec section of our documentation.
An IPSec connection is initialized using 'ifup', as noted in the
documentation. The 'racoon' daemon is automatically run as part of the
initialization of the connection. Refer to the bottom of the
/etc/sysconfig/network-scripts/ifup-ipsec file for details.
During our testing, the default racoon.conf file was used and not
modified from the original values. We are in the process of editing
this particular chapter of the Red Hat Enterprise Linux Security Guide
and will be sure to clarify those default settings of the racoon.conf
From what I can gather, however, it appears that you want to link two
machines directly. That is, you are connecting your road warrior
machine directly to the gateway. If that is the case, a host-to-host
connection could serve your needs.
That being said, I am not sure that IPsec can be configured (whether
network-to-network or host-to-host) using dynamic IP addresses without
some custom scripting solution on the gateway end to determine the
road warrior's IP address and establish the connection.
Thanks again for your report. I am closing this bug with the
resolution of NEXTRELEASE, as the details of the racoon.conf default
settings will be included in the next release of the Red Hat
Enterprise Linux Security Guide.