On Thu, Jul 17, 2008, Timothy Selivanow wrote:
On Thu, 2008-07-17 at 00:03 -0700, Bill Campbell wrote:
I am attempting to create an ipsec tunnel between two CentOS 5.1 systems, network-to-network with two different 192.168.xxx.0/24 LAN segments.
<snipped>
As someone who has a similar setup to what you are wanting, it sounds like either the route, or a problem with the SRCGW/DSTGW. If your two networks are 192.168.100.0/24 and 192.168.200.0/24 for sites A and B, respectively, with public IPs 1.1.1.1 and 2.2.2.2 (respectively, again), then you will want something like the following:
Site A ifcfg-ipsec0: TYPE=IPSEC SRCGW=192.168.100.1 DSTGW=192.168.200.1 SRCNET=192.168.100.0/24 DSTNET=192.168.200.0/24 DST=2.2.2.2
Site B ifcfg-ipsec0: TYPE=IPSEC SRCGW=192.168.200.1 DSTGW=192.168.100.1 SRCNET=192.168.200.0/24 DSTNET=192.168.100.0/24 DST=1.1.1.1
These are the same as what I have with the appropriate IP and CIDR blocks.
You will want to make sure that no NAT'ing is occurring for traffic that wants to flow from site A to B (and vice-versa). I also have a static route set up, as I was having some problems with it automatically setting when the ipsec "interface" was set up. For this example, I'm assuming that both Site A and B have two physical interfaces, eth0 and eth1, that have the public and private addresses.
It each case these are machines that are directly connected to the Internet with no NAT.
Site A interfaces: eth0: 1.1.1.1 eth1: 192.168.100.1
Site B interfaces: eth0: 2.2.2.2 eth1: 192.168.200.1
Site A route-eth1: 192.168.200.0/24 via 192.168.100.1
Site B route-eth1: 192.168.100.0/24 via 192.168.200.1
These are equivalent.
It appears to me that the ``ifup ipsec0'' command primarily wakes racoon up to modify the /etc/racoon/racoon.conf file with the appropriate include and to set the route, and ``ifdown'' mostly removes the route.
On a closing note, you are correct in observing that there is no longer an "ipsec0" or similar interface. I started to explain why...but it got too long. If you would like a crash course on kernel IPSec behaviour, let me know and I'll write up a short one with some further reading linked.
I would be very interested in this.
After letting things sit overnight, and seeing ``IPsec-SA expired'' messages in /var/log/messages, I tried again this afternoon. without success. There are some things that seem noteworthy to me.
1. There was no traffic between the machines until I started ``tcpdump'' on one, at which time it initiated the handshaking with the machine here (one machine is here on M.I. the other in Kansas City).
2. When racoon starts, there is a message in /var/log/messages, ``racoon: ERROR: racoon: MLS support is not enabled''. I haven't been able to figure out what that means.
3. The Kansas City machine is running kernel 2.6.18-53.1.14.el5 SMP, x86_64.
4. The M.I. machine is running 2.6.18-53.1.21.el5PAE SMP i686...
5. The M.I. machine hosts several VMware virtual machines so both its NICs are in promiscuous mode.
Bill