On Thu, 2005-05-12 at 15:13 -0500, Phillip T. George wrote:
Harlan Feinstein wrote:
From the menu... "System Settings -> Network" Direct command: /usr/bin/system-config-network
There should be an ipsec or VPN tab.
It's there. Now if you could get it to work . . .
Just make sure you select "manual encryption with a fixed key" when prompted for encryption mode, and it will work. Also, check on bugzilla if bug #146169 is applicable for your version of initscripts (it's against RHEL3, but later distributions are problematic too). If it is, you'll need to edit two scripts in /etc/sysconfig/network-scripts manually (there are also ready to use patches attached to the bug report).
Automatic keying doesn't work for whatever strange reason (either problem with Racoon or configuration that system-config-network generates). So don't attempt to use it. I was strugling to get it to work for some time now. In vain.
You might want to manually remove all traces of any old configs you created. Shut down IPSec "interfaces" you created. Kill racoon if it is running. "setkey -F; setkey -FP" to get rid of old SAD and SPD entries that Racoon created (check with setkey -D, and setkey -DP that they are removed). Remove any config files (IP address in name) from /etc/racoon that ifup-ipsec script created. Edit racoon.conf and remove any include statements.
When creating configuration for the other side of the tunnel, you need to use exactly same keys for AH and ESP, and to reverse IN/OUT for SPI entries (for example SPI_AH_IN on host-a must be set to the same value as SPI_AH_OUT on host-b, likewise for other three entries).
The problem with the tool is that it created random number for SPI_* entries, and does not allow you to enter them. When you change them manually in ifcfg-* files, they get overwritten with old values next time system-config-network is used. Not sure where the tool stores randomly generated values.... So you might wish to create ifcfg-* file with the tool, copy it to safe place, remove the configuration using the tool, and move the file back in place until this is fixed...
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
