Fedora Core, VPNs and IPSec
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Tue Oct 5 17:16:52 UTC 2004
On Oct 5, 2004, at 18:03, Matthias Saou wrote:
> So, my question is : Which is the preferred IPSec set of tools for
> Fedora
> Core? Is it planned to move IPSec's integration a little forward, into
> the
> Network config tools for instance?
I would go with ipsec-tools... I haven't used openswan, so I can't
tell, and I don't know if it will be supported in a near future.
Anyways, ipsec-tools has support for:
- manually keyed IPSec SA, by invoking "setkey" manually
- PSK (pre-shared keys) or X.509-based SA, by using "racoon" IKE/ISAKMP
daemon
I have always limited myself to manually keyed ESP/AH SA on my side by
manually creating the SA and filling in the SPD invoking "setkey"
manually. In the past, I had problems with "racoon" and the Linux
kernel: when a packet forced a SA to be negotiated for the very first
time, the kernel always failed to queue that packet, waiting for the SA
to be established, and then sending the packet through the link using
ESP, AH or whatever protocol was negotiated. Instead, the kernel would
return the -EAGAIN error to userspace (resource temporarily
unavailable), which caused problems.
For example, the first "ping" ICMP echo request packet forces the SA to
be negotiated, but also fails with an -EAGAIN error. "pinging" again,
once the SA has been established, works like a charm, but once the SA
has been established.
I don't know if this has already been fixed, though.
More information about the fedora-devel-list
mailing list