[GRLUG] IPSec & CentOS
godwin at grandrapids-lug.org
Fri Jan 30 14:33:21 EST 2009
Ah. Just for comparison, these are the meaningful settings I have
connecting openswan to a cisco pix. Disclaimer: I don't manage the
# excerpt from ipsec.conf
I'm gonna have the Cisco side changed to SHA since the thing about MD5
came out. ;-) And the entry in my ipsec.secrets looks like this:
my.ip.here their.ip.here : PSK "somekindoflongkeyhere"
Once the SA is established with: ipsec auto --up swan-to-cisco
you can check it with: ipsec eroute (if you have klips and the
Is your SA staying up? I remember the other side's admin having
trouble with that. The kernel should establish a route automatically
on the CentOS side...
What does your "ifconfig -a" and "route -n" look like?
On Fri, Jan 30, 2009 at 1:53 PM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
> On Fri, 2009-01-30 at 09:17 -0500, Godwin wrote:
>> Hey Adam,
>> What device is on the other end of the IPsec tunnel?
> Cisco 2600 IOS 12.3
>> Is it behind NAT?
>> It looks like the CentOS how-to there uses the kernel's built-in
>> ipsec features. I've not used that, but I have used openswan
>> (compiled from source) in different site-to-site tunnels, though never
>> tried to "ifup" the interface. It does it automagically.
> The IPSec support in CentOS via ifup/down uses Racoon. And it just
> doesn't work, it goes nowhere with a meaningless error.
>> Also if you switch to openswan, kernel 2.6 has to be patched if you
>> want the ipsec0 interface to exist. The *swan guys left it with 2.4
>> kernels. I'm not sure about the kernel's ipsec-tools device creation,
>> but you could just install/compile openswan easily. I found it a
>> little easier to work with and plenty of how-to's on the Net.
> I've got openswan-2.6.14-1.el5_2.1 and that gets me further than Racoon.
> It appears to establish an SA (although the ACLs required to do so on
> the Cisco make no sense at all) but figuring out how to route traffic
> via the association is also a problem.
> <http://www.vpnc.org/InteropProfiles/cisco-ios.txt> is helpful for the
> IOS side, except like every other IOS doc I've found, it doesn't quite
> work. This doc says to declare the route to the remote network to the
> external interface - which the router refuses to do with a
> is-this-router error message. Also none of the IOS examples I've
> managed to find agree with each other! Tons of fun.
>> Of course, first check that the right ports/protocols are allowed
>> through the firewall on either end: UDP 500 (4500 if behind NAT) and
>> protocols ESP (50) and AH (51).
> No firewalls and both ends are connection via a three foot cross over
> grlug mailing list
> grlug at grlug.org
More information about the grlug