[Openswan dev] thoughts on openswan initscripts

[Paul Wouters]

On Mon, 16 Feb 2004, Dax Kelson wrote:

> 1. Why have racoon at all? After following many different IPsec mailing
> lists I think it is clear that the (by far) most common use is of IPsec
> is in in a road warrior configuration. In this capacity, racoon is
> worthless.

It's a relic from FreeS/WAN politics. 

> 2. For something as complex as IPsec, duplicating all the configuration
> in a ifcfg-XXX file seems to not make sense. Why not just have something
> like:
> 
> IPSECCONS="me2work me2home"
> 
> You could stick that in a /etc/sysconfig/network-scripts/ifcfg-XXX or
> globally via /etc/sysconfig/network.
> 
> The actual configuration for the connections could/should stay in the
> /etc/ipsec.conf file.

ipsec.conf supports including files, so it's easy to put conns in seperate
files in /etc/ipsec.d/conns/connname.conf
This will make it easier for any redhat-config-* tool to work on it.
 
> BTW, the way I've done the Red Hat / IPsec thing is to have no linkage
> with the ifcfg scripts and define all my connections in /etc/ipsec.conf.
> And when I want to bring up my tunnels, I do:
> 
> service ipsec start

The service (or rather pluto) should start in time to prevent packets meant
for ipsec tunnels to go out the default gateway. So yes, starting the service
is always needed.
 
Paul
-- 
"In discussing women, we discovered that using electrical terminology-
 impedance, reluctance, resistance- that we had a deeper understanding of
 the situation"
                     --- Richard Feynman