Ipsec, Fedora Core 2, Racoon and FreeS/wan

  • Posted on: 4 October 2004
  • By: agittins

This little project wrote off 3 days for me. Yay. Getting the new 2.6 kernel's native ipsec, Racoon, FC2's ipsec setup scripts and a FreeSwan implementation (with x509 patches) at the other end of the pipe to all play nice together was a bigger job than I expected.
In recent times, I've become a follower of the "When in Rome" philosophy. As such, when I'm on a RedHat box, I don't build from tarballs, I create rpms, you do things "The Distro Way" - this tends to keep your systems cleaner and easier to maintain. When faced with the task of moving my VPN connections over to my new FC2 box, I figured that now was a good time to use the system-config-network tool to setup my links, since it seemed it could. Bzzzt. Here's a tip, don't go that way unless you have a real vanilla situation (I don't know what that situation is, but it's probably something like two FC2 boxes talking to each other using shared secrets). Instead, write a script that does the setkey stuff, and write your own racoon.conf entries.

I am only going to mention briefly what the issues are (so I don't forget them after falling asleep), but if you're lucky I'll come back one day and give examples. Anyway...

  • Certs - racoon can only read un-encrypted certs, so this means removing the passphrase that openssl probably made you put on it. openssl rsa -in cryptedcert.pem -out plaincert.pem with the correct passphrase should sort that out.
  • FreeS/wan-ism #1: Impossible to get the name correct. Probably why they folded the project (I jest!)
  • FreeS/wan-ism #2: Doesn't do aggressive mode, only main it seems. ifup-ipsec on fc2 had to get taken to with a clue-by-four to make it leave that out, as I think freeswan was borking at it.
  • FreeS/wan-ism #3: Does not like re-using SA's, so on the racoon end, make sure to use "unique" instead of "require" in spdadd policies.
  • FreeS/wan-ism #4: Seems to dislike seeing doubly-wrapped stuff (yep, that's as clear as I can be, since I don't understand the problem anyway). Short of it: FC2's ifup-ipsec adds esp and AH tunnel spd's (or SA's?) - don't use the AH ones, only add esp.

From memory, that was when the ping replies started coming back, so I've not got further just yet. But until the fedora/redhat system-config-network gui thing has more comprehensive options and ifup-ipsec can be more accurately controlled, i'd give them both a wide berth and go the manual setup.

Comments

Hi,

I am trying to do the same thing, except using Red Hat Enterprise Linux v3 not Fedora Core 2.

Also connecting to FreeS/WAN (version 1.99) via x509 certificates

Please can you show me what you did to get it to work? I also found it easier to steer clear of network gui as well as ifup-ipsec, however not sure what I have to do other than just run racoon? Running racoon is failing - "ERROR: backupsa.c:226:backupsa_from_file(): failed to open the backup file (null).

Help please?!?!

Thanks,

Mark

Do have a good long look at ifup-ipsec - it does everything that "needs to be done", it's just that there's a few things it does that should not be done or should be done differently, as outlined above.
If you basically do the things that ifup-ipsec does (create racoon config files, restart racoon, add SPD's) then you should get a lot closer - I've not seen the error message you mention however, so it may be a good move to google that if you can't get past it by trying the above.
Ash.

Have you submitted a bug to Red Hat about this issue? I would think they would be concerned about interop with free/openswan and would like to hear about it (if they haven't already).
Your FreeS/wan-ism #2-4 were all applicable to my situation (although I knew about #2, #3 and #4 were things I had to change the ifup-ipsec item for and I don't really like doing that).

Hmmm, I have not. I sort of considered FreeSwan pretty much dead (it sounded like they gave up on their goal of acheiving OE everywhere, so they've gone home). As such I figured that supporting FreeSwan was probably a corner case that would go away over time.

You have got me thinking about it though. I think I will submit it.

I decided to go ahead and start the bug since I had relevant log snippets and I had just done all this. Feel free to submit your comments to the bug as well. I did link to your blog, I hope you don't mind.
bug#150094

No problem at all, well done! It was the logical choice anyway since you had all the "fresh" info to hand :-)
Heh... at the time, my opinion was "Freeswan is dead, long live racoon" but I failed to notice openswan taking over, let alone predicting it would be packaged with fc3!

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
I love robots, but not robots that create spam. Thus, I humbly request evidence of your sentience...