On Oct 5, 2004, at 18:03, Matthias Saou wrote:
So, my question is : Which is the preferred IPSec set of tools for Fedora
Core? Is it planned to move IPSec's integration a little forward, into the
Network config tools for instance?
I would go with ipsec-tools... I haven't used openswan, so I can't tell, and I don't know if it will be supported in a near future. Anyways, ipsec-tools has support for:
- manually keyed IPSec SA, by invoking "setkey" manually
- PSK (pre-shared keys) or X.509-based SA, by using "racoon" IKE/ISAKMP daemon
I have always limited myself to manually keyed ESP/AH SA on my side by manually creating the SA and filling in the SPD invoking "setkey" manually. In the past, I had problems with "racoon" and the Linux kernel: when a packet forced a SA to be negotiated for the very first time, the kernel always failed to queue that packet, waiting for the SA to be established, and then sending the packet through the link using ESP, AH or whatever protocol was negotiated. Instead, the kernel would return the -EAGAIN error to userspace (resource temporarily unavailable), which caused problems.
For example, the first "ping" ICMP echo request packet forces the SA to be negotiated, but also fails with an -EAGAIN error. "pinging" again, once the SA has been established, works like a charm, but once the SA has been established.
I don't know if this has already been fixed, though.
