configuring an IPSEC tunnel, Fedora Core 3 to remote router

Aleksandar Milivojevic amilivojevic at pbl.ca
Thu May 12 21:19:27 UTC 2005 

David Cary Hart wrote:
> On Thu, 2005-05-12 at 15:13 -0500, Phillip T. George wrote:
> 
>>Harlan Feinstein wrote:
>>
> 
> 
>> From the menu... "System Settings -> Network"
>>Direct command: /usr/bin/system-config-network
>>
>>There should be an ipsec or VPN tab.
>>
> 
> It's there. Now if you could get it to work . . . 

Just make sure you select "manual encryption with a fixed key" when 
prompted for encryption mode, and it will work.  Also, check on bugzilla 
if bug #146169 is applicable for your version of initscripts (it's 
against RHEL3, but later distributions are problematic too).  If it is, 
you'll need to edit two scripts in /etc/sysconfig/network-scripts 
manually (there are also ready to use patches attached to the bug report).

Automatic keying doesn't work for whatever strange reason (either 
problem with Racoon or configuration that system-config-network 
generates).  So don't attempt to use it.  I was strugling to get it to 
work for some time now.  In vain.

You might want to manually remove all traces of any old configs you 
created.  Shut down IPSec "interfaces" you created.  Kill racoon if it 
is running.  "setkey -F; setkey -FP" to get rid of old SAD and SPD 
entries that Racoon created (check with setkey -D, and setkey -DP that 
they are removed).  Remove any config files (IP address in name) from 
/etc/racoon that ifup-ipsec script created.  Edit racoon.conf and remove 
any include statements.

When creating configuration for the other side of the tunnel, you need 
to use exactly same keys for AH and ESP, and to reverse IN/OUT for SPI 
entries (for example SPI_AH_IN on host-a must be set to the same value 
as SPI_AH_OUT on host-b, likewise for other three entries).

The problem with the tool is that it created random number for SPI_* 
entries, and does not allow you to enter them.  When you change them 
manually in ifcfg-* files, they get overwritten with old values next 
time system-config-network is used.  Not sure where the tool stores 
randomly generated values....  So you might wish to create ifcfg-* file 
with the tool, copy it to safe place, remove the configuration using the 
tool, and move the file back in place until this is fixed...

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the users mailing list