ipsec-tools in Fedora core 3 and Fedora core 4

Michael H. Warfield mhw at WittsEnd.com
Tue Feb 21 18:20:09 UTC 2006 

On Tue, 2006-02-21 at 12:12 +0200, Väisänen Teemu wrote:
> Hi all.

> I have
> ipsec-tools-0.5-4 in Fedora core 4 machine installed from
> ipsec-tools-0.5-4.i386.rpm
> and
> ipsec-tools-0.5-2.fc3 in Fedora core 3 machine installed from
> ipsec-tools-0.5-2.fc3.i386.rpm

> Should I be able to establish IPsec connection between these two
> machines/versions?

	You certainly should (with one NASTY proviso).  You can even connect
between IPSec Tools (Racoon) and OpenSWAN (Pluto) on various distros and
other systems (*BSD, Solaris, Cisco, etc).  Note that on the 2.6 kernel,
OpenSWAN is using the "setkey" utility from IPSec Tools, so the only
difference is the IKE keying daemon (Racoon in IPSec Tools, and Pluto in
OpenSWAN) and the configuration files.  I'm actually playing with a
mixed environment, right now, of rh7.3, FC1, FC3, and FC4 (and soon with
FC5T3) with OpenSWAN on the 2.4 kernels and a mix of OpenSWAN and IPSec
Tools on various 2.6 kernels (no klips on the 2.6 kernels, though, just
native ESP).  They all seem to play nice with each other...

	The nasty proviso that bit me in the ass was figuring out WHY racoon
kept bombing out on me during initial negotiations (OpenSWAN was working
fine on that same system).  That was every version of IPSec tools I
tried on FC4, rpm or hand-rolled.  It would get to the identity phase
and blow a core ball.  A foreground verbose run of racoon (-v -F) gave
me an error about "unable to open /dev/cryptonet" followed immediately
by a segfault.  A little googling revealed someone with a similar
problem with stunnel.  Turned out that we both had hwcrypto installed
but had no hardware crypto devices.  That was causing the problem.
Removing the hwcrypto rpm eliminated the segfaulting in racoon.  Don't
know when this first started appearing but it was not occurring when I
was experimenting with racoon last year (just started playing around
with it again this week).

> If I update ipsec-tools versions to same in both machines, what
> version should I try?

	I'm running 0.6.5 from the IPSec Tools project.  I manually built the
package and installed it.  I felt like the 0.5 version was just way too
far out of date with some of the discussions up on the IPSec Tools list.
If you build from scratch, be sure to include "--enable-natt" if you
want to be able to use UDP encapsulation.  Why that's not the default, I
don't know, but it gave me fits until I realized it hadn't been built
into my builds (rpm's seemed fine).  I would be a little leary about
anything prior to that though.  There were some DoS problems in some IKE
versions.

> For Fedora there is ipsec-tools-0.6.4-1.1.i386.rpm, does it work only
> in development version of Fedora?

	That's strange...  I only see 0.6.3-1.1 in development.

	I may try that just for giggles, if I can find 0.6.4.  I don't think
there were any major gotcha's between 0.6.4 and 0.6.5, other than some
problems with /32 netmasks.

> Thank you for any answers!

> -Teemu Väisänen

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060221/51929257/attachment-0001.sig>

More information about the fedora-list mailing list