Bug 126859 - Usability: red hat documentation for ipsec-tools missing/incomplete
Summary: Usability: red hat documentation for ipsec-tools missing/incomplete
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rhel-sg (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: All Linux
Target Milestone: ---
Assignee: John Ha
QA Contact: John Ha
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-28 14:31 UTC by Graham Leggett
Modified: 2014-08-04 22:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-30 17:32:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Graham Leggett 2004-06-28 14:31:33 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040623

Description of problem:
(Some history: after fighting for hours apon hours with freeswan, I
have dumped it as a pointless exercise, and am now trying cold with
using ipsec-tools. The following point of view is from someone who has
used freeswan in the past, but never ipsec-tools)

My need is to set up a network-to-network VPN between two machines,
one a permanent gateway with a permanant fixed IP address, the second
a road warrior with dynamic IP address. The documentation at
is the only Redhat supplied documentation I can find. The actual
ipsec-tools package contains no useful documentation.

This documentation describes parts of a theoretical racoon.conf file.
It does not show an actual practical working example. As a result, I
still have no idea what I should put into racoon.conf in order to
achieve the above. From googling extensively, the "anonymous" section
seems to be significant, but no documentation tells me how these
sections are significant.

In addition, the gateway will need to somehow start up racoon as a
daemon, so that it can listen on port 500 and accept connections from
the road warrior. The documentation seems to indicate how to initiate
a session, but it does not indicate how to start up racoon as a
daemon. The ipsec-tools package does not include an init.d startup
script, nor is it listed by chkconfig. I as a user have no idea how to
start ipsec up.

If these shortcomings in the documentation could be fixed so as to
properly explain what to do (as opposed to just mention what can be
done) it will make the lives of normal administrators like me
significantly easier.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Additional info:

Comment 1 Bill Nottingham 2004-06-29 05:14:07 UTC
Have you tried using the network configuration tool?

Comment 2 Graham Leggett 2004-06-29 10:39:35 UTC
Yes (in a test environment) - the network config tool ipsec
configuration is entirely undocumented. It asks for IP addresses and
netmasks without indicating which IP address or netmask it is asking
for (from experience with freeswan, I am aware that there are lots of
different options for this).

Typing in likely information in the hope of seeing where the data gets
placed in the ifcfg-ipsec0 file turned out to be a waste of time, as
redhat-config-network crashed on save because it could not handle the
fact that there was a file called ifcfg-lo.rpmsave in the
network-scripts directory, which is a separate bug that I'll file once
I get this VPN to work and our network back online.

But back to the original bug report: redhat-config-network is not a
substitute for incomplete and incorrect documentation, and in my case
one target machine is across town, the other target machine is on the
other side of the planet, and the text mode version of
redhat-config-network is a completely separate program that doesn't
operate anything like the gui version.

Comment 3 John Ha 2004-06-30 17:30:23 UTC
Thank you for your feedback. We apologize for any issues you may have
with the IPsec section of our documentation.

An IPSec connection is initialized using 'ifup', as noted in the
documentation. The 'racoon' daemon is automatically run as part of the
initialization of the connection. Refer to the bottom of the
/etc/sysconfig/network-scripts/ifup-ipsec file for details.

During our testing, the default racoon.conf file was used and not
modified from the original values. We are in the process of editing
this particular chapter of the Red Hat Enterprise Linux Security Guide
and will be sure to clarify those default settings of the racoon.conf

From what I can gather, however, it appears that you want to link two
machines directly. That is, you are connecting your road warrior
machine directly to the gateway. If that is the case, a host-to-host
connection could serve your needs. 

That being said, I am not sure that IPsec can be configured (whether
network-to-network or host-to-host) using dynamic IP addresses without
some custom scripting solution on the gateway end to determine the
road warrior's IP address and establish the connection.

Thanks again for your report. I am closing this bug with the
resolution of NEXTRELEASE, as the details of the racoon.conf default
settings will be included in the next release of the Red Hat
Enterprise Linux Security Guide.

Note You need to log in before you can comment on or make changes to this bug.