[Openswan dev] thoughts on openswan initscripts

Bill Nottingham notting at redhat.com
Sat Feb 21 00:29:52 CET 2004


Dax Kelson (dax at gurulabs.com) said: 
> 1. Why have racoon at all? After following many different IPsec mailing
> lists I think it is clear that the (by far) most common use is of IPsec
> is in in a road warrior configuration. In this capacity, racoon is
> worthless.

a) it was there first in a shippable-to-us state with the kernel's 2.6
   IPSEC, AFAIK
 ... so ...
b) there's legacy userbase to deal with

> 2. For something as complex as IPsec, duplicating all the configuration
> in a ifcfg-XXX file seems to not make sense. Why not just have something
> like:
> 
> IPSECCONS="me2work me2home"
> 
> You could stick that in a /etc/sysconfig/network-scripts/ifcfg-XXX or
> globally via /etc/sysconfig/network.
> 
> The actual configuration for the connections could/should stay in the
> /etc/ipsec.conf file.

This ties the IPSEC tunnels to a particular network config unless
yo do editing, which seems counterproductive to me. For example,
I'd want to configure my VPN once, and bring it up over the wireless,
or over the wired network, or over the PPP connection. (It was
originally suggested to have ipsec configured analgous to the static
routes for a device... this was changed for this reason.)

Bill


More information about the Dev mailing list