[GRLUG] IPSec & CentOS

[Adam Tauno Williams]

On Fri, 2009-01-30 at 09:17 -0500, Godwin wrote:
> Hey Adam,
> What device is on the other end of the IPsec tunnel? 

Cisco 2600 IOS 12.3

>  Is it behind NAT? 

No.

>  It looks like the CentOS how-to there uses the kernel's built-in
> ipsec features.  I've not used that, but I have used openswan
> (compiled from source) in different site-to-site tunnels, though never
> tried to "ifup" the interface.  It does it automagically.

The IPSec support in CentOS via ifup/down uses Racoon.  And it just
doesn't work,  it goes nowhere with a meaningless error.

> Also if you switch to openswan, kernel 2.6 has to be patched if you
> want the ipsec0 interface to exist.  The *swan guys left it with 2.4
> kernels.  I'm not sure about the kernel's ipsec-tools device creation,
> but you could just install/compile openswan easily.  I found it a
> little easier to work with and plenty of how-to's on the Net.

I've got openswan-2.6.14-1.el5_2.1 and that gets me further than Racoon.
It appears to establish an SA (although the ACLs required to do so on
the Cisco make no sense at all) but figuring out how to route traffic
via the association is also a problem.

<http://www.vpnc.org/InteropProfiles/cisco-ios.txt> is helpful for the
IOS side, except like every other IOS doc I've found, it doesn't quite
work.  This doc says to declare the route to the remote network to the
external interface - which the router refuses to do with a
is-this-router error message.  Also none of the IOS examples I've
managed to find agree with each other!  Tons of fun.

> Of course, first check that the right ports/protocols are allowed
> through the firewall on either end: UDP 500 (4500 if behind NAT) and
> protocols ESP (50) and AH (51).

No firewalls and both ends are connection via a three foot cross over
cable.