On Tue, 2006-02-21 at 12:12 +0200, Väisänen Teemu wrote: > Hi all. > I have > ipsec-tools-0.5-4 in Fedora core 4 machine installed from > ipsec-tools-0.5-4.i386.rpm > and > ipsec-tools-0.5-2.fc3 in Fedora core 3 machine installed from > ipsec-tools-0.5-2.fc3.i386.rpm > Should I be able to establish IPsec connection between these two > machines/versions? You certainly should (with one NASTY proviso). You can even connect between IPSec Tools (Racoon) and OpenSWAN (Pluto) on various distros and other systems (*BSD, Solaris, Cisco, etc). Note that on the 2.6 kernel, OpenSWAN is using the "setkey" utility from IPSec Tools, so the only difference is the IKE keying daemon (Racoon in IPSec Tools, and Pluto in OpenSWAN) and the configuration files. I'm actually playing with a mixed environment, right now, of rh7.3, FC1, FC3, and FC4 (and soon with FC5T3) with OpenSWAN on the 2.4 kernels and a mix of OpenSWAN and IPSec Tools on various 2.6 kernels (no klips on the 2.6 kernels, though, just native ESP). They all seem to play nice with each other... The nasty proviso that bit me in the ass was figuring out WHY racoon kept bombing out on me during initial negotiations (OpenSWAN was working fine on that same system). That was every version of IPSec tools I tried on FC4, rpm or hand-rolled. It would get to the identity phase and blow a core ball. A foreground verbose run of racoon (-v -F) gave me an error about "unable to open /dev/cryptonet" followed immediately by a segfault. A little googling revealed someone with a similar problem with stunnel. Turned out that we both had hwcrypto installed but had no hardware crypto devices. That was causing the problem. Removing the hwcrypto rpm eliminated the segfaulting in racoon. Don't know when this first started appearing but it was not occurring when I was experimenting with racoon last year (just started playing around with it again this week). > If I update ipsec-tools versions to same in both machines, what > version should I try? I'm running 0.6.5 from the IPSec Tools project. I manually built the package and installed it. I felt like the 0.5 version was just way too far out of date with some of the discussions up on the IPSec Tools list. If you build from scratch, be sure to include "--enable-natt" if you want to be able to use UDP encapsulation. Why that's not the default, I don't know, but it gave me fits until I realized it hadn't been built into my builds (rpm's seemed fine). I would be a little leary about anything prior to that though. There were some DoS problems in some IKE versions. > For Fedora there is ipsec-tools-0.6.4-1.1.i386.rpm, does it work only > in development version of Fedora? That's strange... I only see 0.6.3-1.1 in development. I may try that just for giggles, if I can find 0.6.4. I don't think there were any major gotcha's between 0.6.4 and 0.6.5, other than some problems with /32 netmasks. > Thank you for any answers! > -Teemu Väisänen Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
