G'Day,

- Apologies for the long post. But I have a number of questions
- Environment:
* Fedora Core 2
* Internal Network: 192.168.40.0/24
* Fedora Box has eth0 configured to 192.168.40.3 with default GW of 192.168.40.1 (ADSL Router)
* IP Forwarding is ON for the Fedora Box
- I have used system-config-gui to configure an IPSEC connection on eth0. This produces the following config file:

DSTGW=192.168.42.5
SRCGW=192.168.40.1
DSTNET=192.168.42.0/16
SRCNET=192.168.40.0/24
DST=203.xx.xx.xxx
TYPE=IPSEC
ONBOOT=yes
SPI_ESP_OUT=712615660
SPI_ESP_IN=1171810019
SPI_AH_OUT=1135815966
SPI_AH_IN=1828102629

Q1: Where do I see the log of what is happening when this connection is brought up? There seems to be nothing in syslog

Q2: How do I bring up and take down the IPSEC connection from the command line? Executing the scripts seems to produce errors:

[root@moe network-scripts]# /etc/sysconfig/network-scripts/ifdown-ipsec
/etc/sysconfig/network-scripts/ifdown-ipsec: line 47: ifcfg-: No such file or directory
Command line is not complete. Try option "help"
line 1: parse error at [ah]
parse failed, line 1.
line 1: parse error at [any]
parse failed, line 1.
/etc/sysconfig/network-scripts/ifdown-post: line 47: ifcfg-: No such file or directory

Q3. The sysconfig-network-gui only seems to accept passwords of a specific length. My password is longer. I can edit the keys-MyConnectionName and edit the KEY_ESP and KEY_AH lines but surely I have to regenerate something?

Q4. Where are the ipsec.conf files etc? or dont they enter into the equation when dealing with the sysconfig-network-gui app?

TIA

I don't have any experience or knowledge of ipsec, but I believe I can help you with the ifdown-ipsec error. If you read the actual script, you will notice that it is expecting you to specify a network device name such as eth0. So to use ifdown-ipsec try ifdown-ipsec eth0 You should read the script to learn its options.
I tried using and it did not work. This could be becuase I don't have adequate knowledge of ipsec or becuase it is a bug in the script. Test it and tell us what you get, and hopefully someone with more ipsec knowledge will help.

OK,

superbnerd put me on the right track. To get the ifup-ipsec to execute you need to specify the name of the connection as the first paramater and not the hardware device as he suggested. Now that I can attempt to bring up the interface I see the following in syslog:

Oct 4 22:20:37 moe racoon: INFO: main.c:174:main(): @(#)racoon - IPsec-tools 0.2.3
Oct 4 22:20:37 moe racoon: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Oct 4 22:20:38 moe racoon: ERROR: isakmp.c:1378:isakmp_open(): failed to bind to address fe80::240:63ff:fed8:5729%253[500] (No such
device).
Oct 4 22:20:38 moe racoon: INFO: isakmp.c:1387:isakmp_open(): ::1[500] used as isakmp port (fd=7)
Oct 4 22:20:38 moe racoon: INFO: isakmp.c:1387:isakmp_open(): 192.168.40.3[500] used as isakmp port (fd=8)
Oct 4 22:20:38 moe racoon: INFO: isakmp.c:1387:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=9)
Oct 4 22:24:52 moe racoon: INFO: isakmp.c:1713:isakmp_post_acquire(): IPsec-SA request for 203.26.16.136 queued due to no phase1 fo
und.
Oct 4 22:24:52 moe racoon: INFO: isakmp.c:807:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.40.3[500]<=>203.26.16.
136[500]
Oct 4 22:24:52 moe racoon: INFO: isakmp.c:812:isakmp_ph1begin_i(): begin Aggressive mode.
Oct 4 22:25:23 moe racoon: ERROR: isakmp.c:1805:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1.
ESP 203.26.16.136->192.168.40.3
Oct 4 22:25:23 moe racoon: INFO: isakmp.c:1810:isakmp_chkph1there(): delete phase 2 handler.
Oct 4 22:25:26 moe racoon: INFO: isakmp.c:1732:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1
found.
Oct 4 22:25:52 moe racoon: ERROR: isakmp.c:1466:isakmp_ph1resend(): phase1 negotiation failed due to time up. 984142c9edc7d9a7:0000
000000000000
Oct 4 22:25:57 moe racoon: ERROR: isakmp.c:1805:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1.
ESP 203.26.16.136->192.168.40.3
Oct 4 22:25:57 moe racoon: INFO: isakmp.c:1810:isakmp_chkph1there(): delete phase 2 handler.
Oct 4 22:26:26 moe racoon: INFO: isakmp.c:1713:isakmp_post_acquire(): IPsec-SA request for 203.26.16.136 queued due to no phase1 fo
und.
Oct 4 22:26:26 moe racoon: INFO: isakmp.c:807:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.40.3[500]<=>203.26.16.
136[500]
Oct 4 22:26:26 moe racoon: INFO: isakmp.c:812:isakmp_ph1begin_i(): begin Aggressive mode.
Oct 4 22:26:57 moe racoon: ERROR: isakmp.c:1805:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1.
ESP 203.26.16.136->192.168.40.3
Oct 4 22:26:57 moe racoon: INFO: isakmp.c:1810:isakmp_chkph1there(): delete phase 2 handler.
Oct 4 22:27:26 moe racoon: ERROR: isakmp.c:1466:isakmp_ph1resend(): phase1 negotiation failed due to time up. 2d661a9e4e69e7e2:0000
000000000000
Oct 4 22:27:26 moe racoon: INFO: isakmp.c:1713:isakmp_post_acquire(): IPsec-SA request for 203.26.16.136 queued due to no phase1 fo
und.
Oct 4 22:27:26 moe racoon: INFO: isakmp.c:807:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.40.3[500]<=>203.26.16.
136[500]
Oct 4 22:27:26 moe racoon: INFO: isakmp.c:812:isakmp_ph1begin_i(): begin Aggressive mode.

The ipsec server that I am attempting to connect to is configured as:

FILE:/etc/config/ipsec.conf
conn DonovanHome
type = tunnel
left = %defaultroute
leftsubnet = 192.168.0.0/255.255.0.0
right = 0.0.0.0
rightsubnet = 192.168.40.0/255.255.255.0
keyexchange = ike
auth = esp
authby = secret
pfs = yes
keylife = 1h
ikelifetime = 5h
rekeyfuzz = 50%
rekeymargin = 10s
keyingtries = 0
dpddelay = 9
dpdtimeout = 30
auto = add

FILE:/etc/config/ipsec.secrets
203.xx.xx.xx 0.0.0.0 : PSK "<snip>"

On my fedora box I have:

ifcfg-MyConnection

DSTGW=192.168.42.5
SRCGW=192.168.40.1
DSTNET=192.168.42.0/16
SRCNET=192.168.40.0/24
DST=203.xx.xx.xx
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK

and keys-MyConnection

IKE_PSK=<Snip>

Can anyone shed any light for me?

TIA