Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th June 2009, 13:05
unclego unclego is offline
Junior Member
 
Join Date: Jun 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default IPSec network-to-host on centos to Cisco VPN 3000

CentOS 5.3 with all updates.

I need to setup a bit strange IPSec tunnel. Don't ask me why, the other side is a government agency and have this requirements.

I manage to run network-to-network tunnel and phase1 & phase2 was passed. I ommit racoon config it setup properly.
192.168.110.121 is up as eth0:0 ( i have only 2NICs, eth0 is internal network and another is eth1/ppp0)
/etc/sysconfig/network-scripts/ifcfg-ipsec0
Code:
ONBOOT=no
TYPE=IPSEC
DST=XX.XX.XX.XX
SRCGW=192.168.110.121
SRCNET=192.168.110.120/29
DSTGW=10.30.14.18
DSTNET=10.30.14.0/24
IKE_METHOD=PSK
But due to other side requirements after tunnel is up they don't allow my resuests.
Basicaly other side admin says all is ok, but your traffic should go from 192.168.110.120/29, not from 192.168.110.121 and go to 10.30.14.18 not to

10.30.14.0/24.
I am confused, RedHat/Centos docs about IPsec Interfaces says
Quote:
SRC=<address>
where <address> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.

etc etc
It seem reasonable to achieve my goal with this setup
Code:
ONBOOT=no
TYPE=IPSEC
DST=XX.XX.XX.XX
SRCNET=192.168.110.120/29
DSTGW=10.30.14.18
IKE_METHOD=PSK
but IPSec tools can,t manage routes. I got No route to host when try to access a service on other side.
I try manual add some routes, but no succes
route add -net 10.30.14.0 netmask 255.255.255.0 gw 192.168.110.121
route add -host 10.30.14.18 gw 192.168.110.121

No traffic or attempt to bring up tunnel acording to tcpdump and racoon log.
I suspect something like
route add -net 10.30.14.0 netmask 255.255.255.0 dev ipsec0
will solve my problem, but there isn't dev ipsec0 (found somwhere a post from developers about kernel crash)

Other side uses Cisco VPN 3000 Series. I know this kind of setup is possible, because other people do it wtih hardware devices, but I don't wanna be forced to buy a CPU with some flash and web interface to same Linux.

I will gladly provide more info like racoon logs and tcpdumps if needed.

Also atm i'm trying to setup same tunnel with OpenSWAN, but their docs are horrible and im stuck atm.

One side question. Is theres any way to control bringing up ipsec0 after ppp0 is up.

Last edited by unclego; 8th June 2009 at 10:58.
Reply With Quote
Sponsored Links
  #2  
Old 6th June 2009, 18:08
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Its is easier to do with openswan, take a look at http://www.linuxhomenetworking.com/w...ing_Linux_VPNs as for starting the connection when ppp0 is up, you can create /etc/ppp/ip-up.local and add your commands there something like

Code:
if [ "$IFNAME" = "ppp0" ]; then
   service ipsec start
fi
And stop if if ppp0 drops, you add that to the ip-down.local file.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #3  
Old 7th June 2009, 14:07
unclego unclego is offline
Junior Member
 
Join Date: Jun 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you for a guide link. I manage to bring up tunnel with openswan too
004 "test" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel.

Unlike the IPSec tools openswan don't add a route to other side so i add manualy
route add -host 10.30.14.18 gw <My extenal IP>
but still get conection refused when trying to access other side service. Can't do much more today, so i'll wait till monday and contact other side administrator and get some info which of their acl-s block my traffic.
Reply With Quote
  #4  
Old 8th June 2009, 12:29
unclego unclego is offline
Junior Member
 
Join Date: Jun 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm totally stuck with two problems.
1. Which is correct way to route requests to 10.30.14.18 (remote side private host)
2. How do i make request to 10.30.14.18 come exactly from 192.168.110.120/29 on other side
Reply With Quote
  #5  
Old 8th June 2009, 12:34
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

Actually if your settings are correct the route should be inserted automatically.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #6  
Old 8th June 2009, 12:56
unclego unclego is offline
Junior Member
 
Join Date: Jun 2009
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Yep IPSec tools insert route, but openswan doesn't.

Other side admins says my traffic come from wrong address, but not tell me from which. I suspect it comes from my another internal 10.0.0.0/16 net.
Is there a way to masquerade all traffic to 10.30.14.18 from 192.168.110.121?
Reply With Quote
Reply

Bookmarks

Tags
centos, ipsec

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos 5.2 + ISPConfig 3 tutorial - Problem with email tanakskool Server Operation 1 3rd June 2009 16:22
smtp is error!!! fhawk Installation/Configuration 2 7th April 2009 13:17
Postfix problem: lost connection after CONNECT from unknown fernando_torrez Server Operation 5 30th November 2007 14:17
This is %#@*&^$# embarrassing! domino Smalltalk 34 5th February 2007 21:57
Perfect Xen 3.0 setup for Debian gurneyzap HOWTO-Related Questions 4 26th March 2006 11:30


All times are GMT +2. The time now is 07:00.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.