On Thu, 2008-07-17 at 00:03 -0700, Bill Campbell wrote:
I am attempting to create an ipsec tunnel between two CentOS 5.1 systems, network-to-network with two different 192.168.xxx.0/24 LAN segments.
<snipped>
As someone who has a similar setup to what you are wanting, it sounds like either the route, or a problem with the SRCGW/DSTGW. If your two networks are 192.168.100.0/24 and 192.168.200.0/24 for sites A and B, respectively, with public IPs 1.1.1.1 and 2.2.2.2 (respectively, again), then you will want something like the following:
Site A ifcfg-ipsec0: TYPE=IPSEC SRCGW=192.168.100.1 DSTGW=192.168.200.1 SRCNET=192.168.100.0/24 DSTNET=192.168.200.0/24 DST=2.2.2.2
Site B ifcfg-ipsec0: TYPE=IPSEC SRCGW=192.168.200.1 DSTGW=192.168.100.1 SRCNET=192.168.200.0/24 DSTNET=192.168.100.0/24 DST=1.1.1.1
You will want to make sure that no NAT'ing is occurring for traffic that wants to flow from site A to B (and vice-versa). I also have a static route set up, as I was having some problems with it automatically setting when the ipsec "interface" was set up. For this example, I'm assuming that both Site A and B have two physical interfaces, eth0 and eth1, that have the public and private addresses.
Site A interfaces: eth0: 1.1.1.1 eth1: 192.168.100.1
Site B interfaces: eth0: 2.2.2.2 eth1: 192.168.200.1
Site A route-eth1: 192.168.200.0/24 via 192.168.100.1
Site B route-eth1: 192.168.100.0/24 via 192.168.200.1
On a closing note, you are correct in observing that there is no longer an "ipsec0" or similar interface. I started to explain why...but it got too long. If you would like a crash course on kernel IPSec behaviour, let me know and I'll write up a short one with some further reading linked.
I hope this helps.
--Tim