From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.2-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4

Description of problem:
If you have two directly attached networks on server A that you want to IPSec tunnel to server B you would need two config files:

ifcfg-net1 (on server A):
IKE_METHOD=PSK
DSTNET=192.168.2.0/24
SRCNET=192.168.1.0/24
DST=1.2.3.4
TYPE=IPSEC

Now, this works as it should (ignoring bug #146169 for a moment).

But if you add this:
ifcfg-net2 (on server A):
IKE_METHOD=PSK
DSTNET=192.168.2.0/24
SRCNET=10.10.10.0/24  <--- SRCNET changed
DST=1.2.3.4
TYPE=IPSEC

Now here is where you start to have problems.  You can 'ifup net1' and then 'ifup net2' without problems.  But then if you 'ifdown net1' then ifdown-ipsec removes the "include /etc/racoon/$DST.conf" line from /etc/racoon/racoon.conf which is still needed to support net2.

Since racoon get's HUPped, bringing down the one interface immediately starts to cause problems for the second interface.

There should be some mechanism to support this type of configuration.

Version-Release number of selected component (if applicable):
initscripts-7.93.11.EL-1

How reproducible:
Always

Steps to Reproduce:
1. Design tunnelled network as described above
2. ifup network1; ifup network2
3. ifdown network1
4. Try to access network2


Expected Results:  The RHEL IPSec implementation apparently supports this type of configuration without trouble.  The configuration scripts should handle this cleanly.

Additional info:

Until such time as this and other IPSec related initscript bugs gets fixed I've decided to setup GRE tunnels and run them over a host-to-host IPSec connection.  I've tested it a little and it seems to work well.  This might be an acceptable workaround for anyone else hitting this as a problem.