[Openswan dev] thoughts on openswan initscripts

Dax Kelson dax at gurulabs.com
Mon Feb 16 11:45:47 CET 2004


On Thu, 2004-02-12 at 09:02, Paul Wouters wrote:

> Then I looked at how it is implemented for racoon, and I found that
> basicly they have the same problem we have. They are need to replicate
> their ifcfg- variables into "conn" like structures. In short, what the
> current ifup-ipsec.racoon does is fling the ifcfg- contents with some
> setkey glue in a file in /etc/racoon/$DST.conf and -HUP the racoon daemon.
> (as a side note, when I tried to do this with initscipts-7.46-1 this
> didn't work. The /etc/racoon/$DST.conf file could not be parsed by racoon)
> 
> So I figured well, we can do that too. Just use the variables to make
> a conn, fling it in /etc/ipsec.d/conns/ and whack pluto with a --reread.
> 
> But all of this hardly makes any sense! Why go through such a weird ifcfg-
> translation, especially with the userlands having such different set of
> options? It will only introduce errors and maintanance. So it led me to
> the "why" of the ifcfg- files? Likely what i really wanted by RedHat is
> configuration via the redhat-config-network tool. But redhat-config-network
> could just as easily get its configuration from /etc/ipsec.d/conns/$CONN.conf 
> or /etc/racoon/$CONN.conf 

I'm a long time Red Hat as well as a long time IPsec user.

My thoughts.

1. Why have racoon at all? After following many different IPsec mailing
lists I think it is clear that the (by far) most common use is of IPsec
is in in a road warrior configuration. In this capacity, racoon is
worthless.

2. For something as complex as IPsec, duplicating all the configuration
in a ifcfg-XXX file seems to not make sense. Why not just have something
like:

IPSECCONS="me2work me2home"

You could stick that in a /etc/sysconfig/network-scripts/ifcfg-XXX or
globally via /etc/sysconfig/network.

The actual configuration for the connections could/should stay in the
/etc/ipsec.conf file.

BTW, the way I've done the Red Hat / IPsec thing is to have no linkage
with the ifcfg scripts and define all my connections in /etc/ipsec.conf.
And when I want to bring up my tunnels, I do:

service ipsec start

Dax Kelson
Guru Labs



More information about the Dev mailing list