Ipsec, Fedora Core 2, Racoon and FreeS/wan
This little project wrote off 3 days for me. Yay. Getting the new 2.6 kernel's native ipsec, Racoon, FC2's ipsec setup scripts and a FreeSwan implementation (with x509 patches) at the other end of the pipe to all play nice together was a bigger job than I expected.
In recent times, I've become a follower of the "When in Rome" philosophy. As such, when I'm on a RedHat box, I don't build from tarballs, I create rpms, you do things "The Distro Way" - this tends to keep your systems cleaner and easier to maintain. When faced with the task of moving my VPN connections over to my new FC2 box, I figured that now was a good time to use the system-config-network tool to setup my links, since it seemed it could. Bzzzt. Here's a tip, don't go that way unless you have a real vanilla situation (I don't know what that situation is, but it's probably something like two FC2 boxes talking to each other using shared secrets). Instead, write a script that does the setkey stuff, and write your own racoon.conf entries.
I am only going to mention briefly what the issues are (so I don't forget them after falling asleep), but if you're lucky I'll come back one day and give examples. Anyway...
- Certs - racoon can only read un-encrypted certs, so this means removing the passphrase that openssl probably made you put on it. openssl rsa -in cryptedcert.pem -out plaincert.pem with the correct passphrase should sort that out.
- FreeS/wan-ism #1: Impossible to get the name correct. Probably why they folded the project (I jest!)
- FreeS/wan-ism #2: Doesn't do aggressive mode, only main it seems. ifup-ipsec on fc2 had to get taken to with a clue-by-four to make it leave that out, as I think freeswan was borking at it.
- FreeS/wan-ism #3: Does not like re-using SA's, so on the racoon end, make sure to use "unique" instead of "require" in spdadd policies.
- FreeS/wan-ism #4: Seems to dislike seeing doubly-wrapped stuff (yep, that's as clear as I can be, since I don't understand the problem anyway). Short of it: FC2's ifup-ipsec adds esp and AH tunnel spd's (or SA's?) - don't use the AH ones, only add esp.
From memory, that was when the ping replies started coming back, so I've not got further just yet. But until the fedora/redhat system-config-network gui thing has more comprehensive options and ifup-ipsec can be more accurately controlled, i'd give them both a wide berth and go the manual setup.