configuring an IPSEC tunnel, Fedora Core 3 to remote router
Aleksandar Milivojevic
amilivojevic at pbl.ca
Thu May 12 21:19:27 UTC 2005
David Cary Hart wrote:
> On Thu, 2005-05-12 at 15:13 -0500, Phillip T. George wrote:
>
>>Harlan Feinstein wrote:
>>
>
>
>> From the menu... "System Settings -> Network"
>>Direct command: /usr/bin/system-config-network
>>
>>There should be an ipsec or VPN tab.
>>
>
> It's there. Now if you could get it to work . . .
Just make sure you select "manual encryption with a fixed key" when
prompted for encryption mode, and it will work. Also, check on bugzilla
if bug #146169 is applicable for your version of initscripts (it's
against RHEL3, but later distributions are problematic too). If it is,
you'll need to edit two scripts in /etc/sysconfig/network-scripts
manually (there are also ready to use patches attached to the bug report).
Automatic keying doesn't work for whatever strange reason (either
problem with Racoon or configuration that system-config-network
generates). So don't attempt to use it. I was strugling to get it to
work for some time now. In vain.
You might want to manually remove all traces of any old configs you
created. Shut down IPSec "interfaces" you created. Kill racoon if it
is running. "setkey -F; setkey -FP" to get rid of old SAD and SPD
entries that Racoon created (check with setkey -D, and setkey -DP that
they are removed). Remove any config files (IP address in name) from
/etc/racoon that ifup-ipsec script created. Edit racoon.conf and remove
any include statements.
When creating configuration for the other side of the tunnel, you need
to use exactly same keys for AH and ESP, and to reverse IN/OUT for SPI
entries (for example SPI_AH_IN on host-a must be set to the same value
as SPI_AH_OUT on host-b, likewise for other three entries).
The problem with the tool is that it created random number for SPI_*
entries, and does not allow you to enter them. When you change them
manually in ifcfg-* files, they get overwritten with old values next
time system-config-network is used. Not sure where the tool stores
randomly generated values.... So you might wish to create ifcfg-* file
with the tool, copy it to safe place, remove the configuration using the
tool, and move the file back in place until this is fixed...
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the users
mailing list