Paul Wouters paul at xelerance.com
Tue Apr 27 20:39:39 CEST 2004

On Tue, 27 Apr 2004 Matti.Christensen at securitas.fi wrote:

> Many thanks for Your kind help !

You're welcome.

> - the fact that Openswan ( and Free-S-Wan ) is developed on RH makes it 
> difficult to install the functionality on other kind of platforms - my box 
> for instance did not initially have utilities like logger and ip ( but of 
> course syslogd and ifconfig/route ) - so;

"ip" from iproute has obsoleted the old ifconfig/route commands for quite a
number of years now. logger might indeed be too specific. If you are willing
to tell us what your distro/platform uses, we can try and add something for it
in our packaging/ directory, which is meant for all the distro dependant things.

> --- it would be really nice to have short documents describing depencies 
> of third party software, and between various binaries/scripts of the 
> installation itself

"ipsec verify" actually checks for all the dependancies and gives errors when
it fails. Ofcourse, it does require perl :)
> --- some documentation of the installed directory structure would also be 
> nice

You probably find it in the docs somewhere, but it os easy:

/etc/ipsec.secrets (rootonly readable file with PSK's and passphrases)
/etc/ipsec.conf standard configuration file
/usr/local/lib/ipsec  all the binaries
/etc/init.d/ipsec the startup script 
/etc/ipsec.d/ supporting configuration files
/etc/ipsec.d/private private keys for X/509
/etc/ipsec.d/crls Certificate Revocation Lists
/etc/ipsec.d/policies/ Opportunistic Encryption policy files
/etc/ipsec.d/cacerts Certificate Agency files
/etc/ipsec.d/certs X509 certificates
/etc/ipsec.d/examples example include files (contains no_oe.conf)
> If You are willing to answer even to this email, i might ask if the 
> directory '/etc/ipsec.d' is mandatory when using just PSK.

It shouldn't be needed when not using OE or certificates. If there is code
that requires it (some X/509 code used to do some chdir()'s which I think
have all been taken out by now) then let us know and we will fix this dependancy.
> Anyhow - the ipsec connection i've been trying to make up is now up, and 
> that is the most important issue just now - thanks again !

Great. Glad it works for you now. Was is the NAT iptables rules or the
openswan/superfreeswan mismatch?


More information about the Users mailing list