Description of problem: Installing an IPsec connection between two hosts with manual keys is not possible with the dialogs. The problem is that s-c-n (for good reasons!) uses different keys for both directions. Setting up the first host is nice and easy. Select the host-to-host configuration, and generate AH/ESP keys. This data can be stored. But what to do on the other side? It is not correct to copy&paste the keys generated on the first host since this would result is exactly the same ifcfg-* file as on the first host. The correct form needs that the SPI_*_IN variables are renamed SPI_*_OUT and vice versa. The input of the one side is the output of the other side. Version-Release number of selected component (if applicable): system-config-network-1.3.22-1 How reproducible: always Steps to Reproduce: 1.edit new IPsec connection 2.generate new keys on one system 3.try to set up the other side on a second system Actual results: cannot be done Expected results: working IPsec connection Additional info: I don't have a patch. And solving this might create hard to use GUI. Perhaps a reasonable solution would be to add a select box label "reverse connection" or so which, if selected, would perhaps the aforementioned _IN/_OUT renaming.
I also ran into this problem and agree with Ulrich's summary. Though it looks to me like the problem is in redhat-config-network-tui-1.2.63-1. You can fix the connection by manually editing one of the generated ifcfg- files and swapping the SPI_*_IN with SPI_*_OUT. But redhat-config-network is eager to overwrite that file, so it's a fairly fragile workaround. One possibly workable automatic solution is to compare the local/remote IP addresses in redhat-config-network. If local < remote then swap the IN/OUT in the ifcfg file, otherwise don't. Doesn't deal with the case where local=remote, which one might conceivably want to use for testing purposes or something, but that's likely to be rare.