From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.2-1.3.1 StumbleUpon/1.9993 Firefox/1.0.4 Description of problem: If you have two directly attached networks on server A that you want to IPSec tunnel to server B you would need two config files: ifcfg-net1 (on server A): IKE_METHOD=PSK DSTNET=192.168.2.0/24 SRCNET=192.168.1.0/24 DST=1.2.3.4 TYPE=IPSEC Now, this works as it should (ignoring bug #146169 for a moment). But if you add this: ifcfg-net2 (on server A): IKE_METHOD=PSK DSTNET=192.168.2.0/24 SRCNET=10.10.10.0/24 <--- SRCNET changed DST=1.2.3.4 TYPE=IPSEC Now here is where you start to have problems. You can 'ifup net1' and then 'ifup net2' without problems. But then if you 'ifdown net1' then ifdown-ipsec removes the "include /etc/racoon/$DST.conf" line from /etc/racoon/racoon.conf which is still needed to support net2. Since racoon get's HUPped, bringing down the one interface immediately starts to cause problems for the second interface. There should be some mechanism to support this type of configuration. Version-Release number of selected component (if applicable): initscripts-7.93.11.EL-1 How reproducible: Always Steps to Reproduce: 1. Design tunnelled network as described above 2. ifup network1; ifup network2 3. ifdown network1 4. Try to access network2 Expected Results: The RHEL IPSec implementation apparently supports this type of configuration without trouble. The configuration scripts should handle this cleanly. Additional info: Until such time as this and other IPSec related initscript bugs gets fixed I've decided to setup GRE tunnels and run them over a host-to-host IPSec connection. I've tested it a little and it seems to work well. This might be an acceptable workaround for anyone else hitting this as a problem.
Thanks for filing this report. I'm marking this bug as ASSIGNED since it's correctly assigned to me. However, this isn't very high in my priority queue, and is unlikely to get fixed in the very near future. If this issue is important to you, please contact Red Hat Support to get it escalated. Apologies for the inconvenience.
initscripts in Fedora development will support specifying KEYING=automatic without IKE_* to indicate the racoon configuration is managed manually and the scripts shouldn't touch racoon.conf.
Closing as WONTFIX for RHEL 4; this is unlikely to ever change for RHEL 4, but it's fixed in later releases.