Fedora Core, VPNs and IPSec

Matthias Saou thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Tue Oct 5 16:03:22 UTC 2004 

Hi,

Here's another recurring topic about something pretty much broken all over
the place, but that IMHO should be as easy to configure as possible, and as
fast as possible to get working. No, not ACPI :-) Virtual Private Networks!
;-)
Until now, I had only once the need to configure a VPN, between only 3
points, and all went pretty well between Red Hat Linux 7.3 and 9 servers
using cipe, as that was the included alternative at the time. I kind of
liked having cipcb interfaces show up as P-t-P and do all my routing over
that, and must say I got used to it enough to be really confused when I had
to consider setting up VPNs with Fedora Core...

The first thing I tried, as I have to interoperate with the existing VPN
was to add CIPE support to a Fedora Core system... after many oopses and
kernel panics, I gave up and decided to move on to checking out IPSec,
which I hadn't done in a long time! To my great surprise, no more
(super)freeswan.org/.ca mess with/without x509 certificates, it's now all
in openswan, which is part of Fedora Core, "great" I thought! But then I
went digging... I found out how broken the config parser was, also how
easy it was to "cut the branch I was sitting on"... and how hard it was to
debug.

Then I tried to figure the link between ipsec-tools and openswan (which
Requires: them...), and I must say that I still can't find any. They seem
to be both two parallel userspace sets of tools that use the same kernel
crypto layer to operate... and after following the nice howto on
http://www.ipsec-howto.org/ and finding solutions to my problems as I went
forward on kame.net's mailing-list archives, I must say racoon and setkey
are really soooooooo much easier to use! I've now got two test machines
tunneling two networks between each other after just generating a few
certificates and editing a couple of configuration files, and it should be
just as easy for roadwarriors, neato!

So, my question is : Which is the preferred IPSec set of tools for Fedora
Core? Is it planned to move IPSec's integration a little forward, into the
Network config tools for instance?
If anyone with more *swan/kame/etc. knowledge can give me a little light on
this, I'd really appreciate, as I still don't know if I've chosen the good
direction. If ipsec-tools are there to stay, should I eventually do some
quick tweaking to add an init script for it?

Matthias

-- 
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora Core release 2.91 (FC3 Test 2) - Linux kernel 2.6.8-1.521.dell
Load : 0.19 0.64 0.59

More information about the devel mailing list