[Openswan dev] thoughts on openswan initscripts

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Feb 16 15:33:24 CET 2004


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> 2. For something as complex as IPsec, duplicating all the
    >> configuration in a ifcfg-XXX file seems to not make sense. Why not
    >> just have something like:
    >> IPSECCONS="me2work me2home"
    >> You could stick that in a /etc/sysconfig/network-scripts/ifcfg-XXX or
    >> globally via /etc/sysconfig/network.
    >> The actual configuration for the connections could/should stay in the
    >> /etc/ipsec.conf file.

    Paul> ipsec.conf supports including files, so it's easy to put conns in
    Paul> seperate files in /etc/ipsec.d/conns/connname.conf This will make
    Paul> it easier for any redhat-config-* tool to work on it.

  One could conceive of eventually just knowing that "connname" lives in
/etc/ipsec.d/conns/connname.conf, or

  A parser (in C rather than AWK!) for ipsec.conf exists, and has been
partially adapted to version 2 configuration files. It will eventually get
finished. If there is a different syntax that is desired (even some
XML variant, but please, let's do the DTD right), it could easily be adapted,
since syntax is just a front-end issue.

    >> BTW, the way I've done the Red Hat / IPsec thing is to have no linkage
    >> with the ifcfg scripts and define all my connections in
    >> /etc/ipsec.conf.  And when I want to bring up my tunnels, I do:
    >> service ipsec start

    Paul> The service (or rather pluto) should start in time to prevent
    Paul> packets meant for ipsec tunnels to go out the default gateway. So
    Paul> yes, starting the service is always needed.

  This is a critical thing. 
  Independant of the tunnel being brought up, the firewalling must be

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list