|
Title: IPSEC network-to-network Redhat/Centos Post by: daytron on Wednesday 11 February 2009, 09:38:00 pm Hello,
I thought I'd post the details on getting Endian (2.2RC3) to talk to Redhat/Centos (5.x) using a network-to-network IPSEC tunnel. Endian uses openswan/pluto, RH/Centos uses KAME/racoon. Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption. The easiest solution is to disbale AH encryption on the RH/Centos end using the AH_PROTO directive in the ifcfg-ipsecX file: TYPE=IPSEC #Started out of rc.local ONBOOT=no IKE_METHOD=PSK AH_PROTO=none SRCGW=192.168.0.11 DSTGW=192.168.2.1 SRCNET=192.168.0.0/24 DSTNET=192.168.2.0/24 DST=RED_IP_of_Endian_Box Then in endian, use: IKE - 3DES, SHA, DH Group 2 ESP - 3DES, SHA1, Phase 1 group aggressive mode (optional) Perfect Forward Secrecy That config is directly compatable with the default RH/Centos ipsec config. You could just select everything but that wastes time in the setup negotiation. I hope this saves someone else a lot of time/effort! |