[GRLUG] IPSec & CentOS

Godwin godwin at grandrapids-lug.org
Fri Jan 30 14:33:21 EST 2009


Ah.  Just for comparison, these are the meaningful settings I have
connecting openswan to a cisco pix.  Disclaimer: I don't manage the
cisco side.

# excerpt from ipsec.conf
conn swan-to-cisco
        type=tunnel
        left=my.ip.here
        leftsubnet=192.168.3.0/24
        leftnexthop=my.def.gw.ip
        right=remote.ip.here
        rightsubnet=192.168.2.0/24
        rightnexthop=remote.gw.here
        esp=3des-md5-96
        keyexchange=ike
        pfs=yes
        authby=secret
        auto=add
        spi=0x0

I'm gonna have the Cisco side changed to SHA since the thing about MD5
came out.  ;-)  And the entry in my ipsec.secrets looks like this:

my.ip.here their.ip.here : PSK "somekindoflongkeyhere"

Once the SA is established with:  ipsec auto --up swan-to-cisco

you can check it with:  ipsec eroute  (if you have klips and  the
ipsec0 interface)

  Is your SA staying up?  I remember the other side's admin having
trouble with that.  The kernel should establish a route automatically
on the CentOS side...

What does your "ifconfig -a" and "route -n" look like?

G-

On Fri, Jan 30, 2009 at 1:53 PM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
> On Fri, 2009-01-30 at 09:17 -0500, Godwin wrote:
>> Hey Adam,
>> What device is on the other end of the IPsec tunnel?
>
> Cisco 2600 IOS 12.3
>
>>  Is it behind NAT?
>
> No.
>
>>  It looks like the CentOS how-to there uses the kernel's built-in
>> ipsec features.  I've not used that, but I have used openswan
>> (compiled from source) in different site-to-site tunnels, though never
>> tried to "ifup" the interface.  It does it automagically.
>
> The IPSec support in CentOS via ifup/down uses Racoon.  And it just
> doesn't work,  it goes nowhere with a meaningless error.
>
>> Also if you switch to openswan, kernel 2.6 has to be patched if you
>> want the ipsec0 interface to exist.  The *swan guys left it with 2.4
>> kernels.  I'm not sure about the kernel's ipsec-tools device creation,
>> but you could just install/compile openswan easily.  I found it a
>> little easier to work with and plenty of how-to's on the Net.
>
> I've got openswan-2.6.14-1.el5_2.1 and that gets me further than Racoon.
> It appears to establish an SA (although the ACLs required to do so on
> the Cisco make no sense at all) but figuring out how to route traffic
> via the association is also a problem.
>
> <http://www.vpnc.org/InteropProfiles/cisco-ios.txt> is helpful for the
> IOS side, except like every other IOS doc I've found, it doesn't quite
> work.  This doc says to declare the route to the remote network to the
> external interface - which the router refuses to do with a
> is-this-router error message.  Also none of the IOS examples I've
> managed to find agree with each other!  Tons of fun.
>
>> Of course, first check that the right ports/protocols are allowed
>> through the firewall on either end: UDP 500 (4500 if behind NAT) and
>> protocols ESP (50) and AH (51).
>
> No firewalls and both ends are connection via a three foot cross over
> cable.
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>



-- 

Ubber::Geek
http://grlug.org/


More information about the grlug mailing list