Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 22 November 2024, 09:44:07 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6516 Members
Latest Member: DaveH
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  IPSEC network-to-network Redhat/Centos
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: IPSEC network-to-network Redhat/Centos  (Read 23621 times)
daytron
Jr. Member
*
Offline Offline

Posts: 1


« on: Wednesday 11 February 2009, 09:38:00 pm »

Hello,

I thought I'd post the details on getting Endian (2.2RC3) to talk to Redhat/Centos (5.x) using a network-to-network IPSEC tunnel.

Endian uses openswan/pluto, RH/Centos uses KAME/racoon. Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption.

The easiest solution is to disbale AH encryption on the RH/Centos end using the AH_PROTO directive in the ifcfg-ipsecX file:

TYPE=IPSEC
#Started out of rc.local
ONBOOT=no
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=192.168.0.11
DSTGW=192.168.2.1
SRCNET=192.168.0.0/24
DSTNET=192.168.2.0/24
DST=RED_IP_of_Endian_Box

Then in endian, use:

IKE - 3DES, SHA, DH Group 2
ESP - 3DES, SHA1, Phase 1 group
aggressive mode (optional)
Perfect Forward Secrecy

That config is directly compatable with the default RH/Centos ipsec config. You could just select everything but that wastes time in the setup negotiation.

I hope this saves someone else a lot of time/effort!
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.047 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com