IPSec network-to-host on centos to Cisco VPN 3000

[unclego]

CentOS 5.3 with all updates.

I need to setup a bit strange IPSec tunnel. Don't ask me why, the other side is a government agency and have this requirements.

I manage to run network-to-network tunnel and phase1 & phase2 was passed. I ommit racoon config it setup properly.
192.168.110.121 is up as eth0:0 ( i have only 2NICs, eth0 is internal network and another is eth1/ppp0)
/etc/sysconfig/network-scripts/ifcfg-ipsec0

Code:

ONBOOT=no
TYPE=IPSEC
DST=XX.XX.XX.XX
SRCGW=192.168.110.121
SRCNET=192.168.110.120/29
DSTGW=10.30.14.18
DSTNET=10.30.14.0/24
IKE_METHOD=PSK

But due to other side requirements after tunnel is up they don't allow my resuests.
Basicaly other side admin says all is ok, but your traffic should go from 192.168.110.120/29, not from 192.168.110.121 and go to 10.30.14.18 not to

10.30.14.0/24.
I am confused, RedHat/Centos docs about IPsec Interfaces says

Quote:

SRC=<address>
where <address> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.

etc etc

It seem reasonable to achieve my goal with this setup

Code:

ONBOOT=no
TYPE=IPSEC
DST=XX.XX.XX.XX
SRCNET=192.168.110.120/29
DSTGW=10.30.14.18
IKE_METHOD=PSK

but IPSec tools can,t manage routes. I got No route to host when try to access a service on other side.
I try manual add some routes, but no succes
route add -net 10.30.14.0 netmask 255.255.255.0 gw 192.168.110.121
route add -host 10.30.14.18 gw 192.168.110.121
No traffic or attempt to bring up tunnel acording to tcpdump and racoon log.
I suspect something like
route add -net 10.30.14.0 netmask 255.255.255.0 dev ipsec0
will solve my problem, but there isn't dev ipsec0 (found somwhere a post from developers about kernel crash)

Other side uses Cisco VPN 3000 Series. I know this kind of setup is possible, because other people do it wtih hardware devices, but I don't wanna be forced to buy a CPU with some flash and web interface to same Linux.

I will gladly provide more info like racoon logs and tcpdumps if needed.

Also atm i'm trying to setup same tunnel with OpenSWAN, but their docs are horrible and im stuck atm.

One side question. Is theres any way to control bringing up ipsec0 after ppp0 is up.

[topdog]

Its is easier to do with openswan, take a look at http://www.linuxhomenetworking.com/w...ing_Linux_VPNs as for starting the connection when ppp0 is up, you can create /etc/ppp/ip-up.local and add your commands there something like

Code:

if [ "$IFNAME" = "ppp0" ]; then
   service ipsec start
fi

And stop if if ppp0 drops, you add that to the ip-down.local file.

[unclego]

Thank you for a guide link. I manage to bring up tunnel with openswan too
004 "test" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel.

Unlike the IPSec tools openswan don't add a route to other side so i add manualy
route add -host 10.30.14.18 gw <My extenal IP>
but still get conection refused when trying to access other side service. Can't do much more today, so i'll wait till monday and contact other side administrator and get some info which of their acl-s block my traffic.

[unclego]

I'm totally stuck with two problems.
1. Which is correct way to route requests to 10.30.14.18 (remote side private host)
2. How do i make request to 10.30.14.18 come exactly from 192.168.110.120/29 on other side

[topdog]

Actually if your settings are correct the route should be inserted automatically.

[unclego]

Yep IPSec tools insert route, but openswan doesn't.

Other side admins says my traffic come from wrong address, but not tell me from which. I suspect it comes from my another internal 10.0.0.0/16 net.
Is there a way to masquerade all traffic to 10.30.14.18 from 192.168.110.121?