Written by James McDonald

June 23, 2008

I am currently investigating setting up a connection with the following features:

  • Linux 2.6.x Base System
  • IPSec Compliant Gateway
  • NAT on the Gateway to hide internal addresses from the remote network

http://www.sherman.ca/archives/2004/11/21/linux-26-ipsec-vpns/
http://ipsec-tools.sourceforge.net/
http://lartc.org/howto/lartc.ipsec.html
http://www.fw-1.de/aerasec/ng/vpn-racoon/CP-VPN1-NG-Linux-racoon.html

Update: I have been trying to find some decent information on configuration it looks as though the Redhat / CentOS deployment guide is quite helpful. Only problem is the system-config-network utility shows different options if running without X so you need to do your own file hacking to get it working.

http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-ipsec-net2net.html#

Definately recommend using the above link it really works well on Redhat/CentOS. A simple ifup controls the connection also all the routes are added and racoon is controlled automagically.

It appears there is plenty of information out there by which to precede. All I need to do now is digest it and make it work.

Troubles:
Having bridging enabled on one gateway seems to defeat the IPSec tunnel in Lan2Lan mode. You can ping and see the ping packets hitting the remote host and returning through the tunnel. The bridging seems to confuse the packets and they don’t arrive back at the source host.

Seems I’m not the only one

I notice that the default setup for the Redhat / CentOS ipsec configuration uses both AH and ESP. If you call the name of your ipsec connection ipsec0. Turn off AH by setting AH_PROTO=none in /etc/sysconfig/network-scripts/ifcfg-ipsec0

Interesting link re tunnel mode but to a single host.
http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070623-160740

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…