Hi all,
Somebody can explains me how can I configure ipsec-tools package to use private virtual ip address as an openswan does or some doc/howto about it??
I have seen this howto, but doesn't works for me:
http://www.howtoforge.com/racoon_roadwarrior_vpn
Many thanks.
Feizhou wrote:
Somebody can explains me how can I configure ipsec-tools package to use private virtual ip address as an openswan does or some doc/howto about it??
May I offer an alternative? openvpn.net _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks but it is not an option ... my customer use an ipsec tunnel ...
carlopmart wrote:
Somebody can explains me how can I configure ipsec-tools package to use private virtual ip address as an openswan does or some doc/howto about it??
I have seen this howto, but doesn't works for me:
A quick google search found these:
http://www.centos.org/docs/4/html/rhel-sag-en-4/s1-network-config-ipsec.html http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-networkscripts-i... http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
I've used the last one to establish a tunnel to a Cisco VPN router.
Michael D. Kralka wrote:
carlopmart wrote:
Somebody can explains me how can I configure ipsec-tools package to use private virtual ip address as an openswan does or some doc/howto about it??
I have seen this howto, but doesn't works for me:
A quick google search found these:
http://www.centos.org/docs/4/html/rhel-sag-en-4/s1-network-config-ipsec.html http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-networkscripts-i... http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html
I've used the last one to establish a tunnel to a Cisco VPN router.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks Michael, I have seen before but this docs doesn't explains how to use a virtual ip to connect via ipsec ...
carlopmart wrote:
Somebody can explains me how can I configure ipsec-tools
package to
use private virtual ip address as an openswan does or some
doc/howto
about it??
I have seen this howto, but doesn't works for me:
Thanks Michael, I have seen before but this docs doesn't explains how to use a virtual ip to connect via ipsec ...
Would you be able to post your racoon configuration, maybe which version of ipsec-tools you are using, and maybe some error messages?
It can be pretty easy to make little mistakes which will make this not work.
Cheers, Mike
mike.redan@bell.ca wrote:
carlopmart wrote:
Somebody can explains me how can I configure ipsec-tools
package to
use private virtual ip address as an openswan does or some
doc/howto
about it??
I have seen this howto, but doesn't works for me:
Thanks Michael, I have seen before but this docs doesn't explains how to use a virtual ip to connect via ipsec ...
Would you be able to post your racoon configuration, maybe which version of ipsec-tools you are using, and maybe some error messages?
It can be pretty easy to make little mistakes which will make this not work.
Cheers, Mike _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
192.168.2.1 needs to be my virtual ip to connect to internal customer network. 172.25.50.28 it is my laptop's ip that I use on my job's network. I am using CentOS 5 and ipsec-tools version 0.6.5-8.el5. I have tried to use dummy driver to assign me 192.168.2.1 virtual ip without luck.
My racoon.conf:
path certificate "/etc/racoon/certs";
listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; }
remote 1.1.1.1 { exchange_mode main; certificate_type x509 "user.pem" "user.key"; verify_cert on; my_identifier asn1dn; peers_identifier fqdn "fwcust.domain.com"; ca_type x509 "custca.pem"; verify_identifier on; proposal_check obey; nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } }
sainfo address 192.168.2.1/32 any address 172.17.47.0/27 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
sainfo address 172.17.47.0/27 any address 192.168.2.1/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } sainfo address 172.25.50.28/32 any address 1.1.1.1/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate ; }
sainfo address 1.1.1.1/32 any address 172.25.50.28/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
Could you also send along how you are starting up racoon, and any error messages you are getting on the command line, and in the log files? (make sure you are starting with verbose/debug at full so you can see exactly what is going on)
(some comments embedded)
Would you be able to post your racoon configuration, maybe
which version
of ipsec-tools you are using, and maybe some error messages?
It can be pretty easy to make little mistakes which will
make this not
work.
Cheers, Mike
192.168.2.1 needs to be my virtual ip to connect to internal customer network. 172.25.50.28 it is my laptop's ip that I use on my job's network. I am using CentOS 5 and ipsec-tools version 0.6.5-8.el5. I have tried to use dummy driver to assign me 192.168.2.1 virtual ip without luck.
You can do something like: ifconfig eth0:0 add 192.168.2.1
My racoon.conf:
path certificate "/etc/racoon/certs";
listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; }
remote 1.1.1.1 { exchange_mode main;
If you are setup as a 'road warrior' then you would want exchange_mode aggressive; not main.
certificate_type x509 "user.pem" "user.key"; verify_cert on; my_identifier asn1dn; peers_identifier fqdn "fwcust.domain.com"; ca_type x509 "custca.pem"; verify_identifier on; proposal_check obey; nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2; }}
sainfo address 192.168.2.1/32 any address 172.17.47.0/27 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
sainfo address 172.17.47.0/27 any address 192.168.2.1/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } sainfo address 172.25.50.28/32 any address 1.1.1.1/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate ; }
sainfo address 1.1.1.1/32 any address 172.25.50.28/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
--
Ohh..and meant to mention...you may be able to get better assistance from the ipsec-tools mailing list, we can do our best here, but they are the experts.
Mike
Could you also send along how you are starting up racoon, and any error messages you are getting on the command line, and in the log files? (make sure you are starting with verbose/debug at full so you can see exactly what is going on)
(some comments embedded)
mike.redan@bell.ca wrote:
Could you also send along how you are starting up racoon, and any error messages you are getting on the command line, and in the log files? (make sure you are starting with verbose/debug at full so you can see exactly what is going on)
Logs doesn't reports any error .. at my laptop. On the firewall side, displays errors about I don't use 192.168.2.1 ip ---
(some comments embedded)
Would you be able to post your racoon configuration, maybe
which version
of ipsec-tools you are using, and maybe some error messages?
It can be pretty easy to make little mistakes which will
make this not
work.
Cheers, Mike
192.168.2.1 needs to be my virtual ip to connect to internal customer network. 172.25.50.28 it is my laptop's ip that I use on my job's network. I am using CentOS 5 and ipsec-tools version 0.6.5-8.el5. I have tried to use dummy driver to assign me 192.168.2.1 virtual ip without luck.
You can do something like: ifconfig eth0:0 add 192.168.2.1
Doesn't works ....
My racoon.conf:
path certificate "/etc/racoon/certs";
listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; }
remote 1.1.1.1 { exchange_mode main;
If you are setup as a 'road warrior' then you would want exchange_mode aggressive; not main.
With aggressive mode, phase 1 doesn't works ...
certificate_type x509 "user.pem" "user.key"; verify_cert on; my_identifier asn1dn; peers_identifier fqdn "fwcust.domain.com"; ca_type x509 "custca.pem"; verify_identifier on; proposal_check obey; nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2; }}
sainfo address 192.168.2.1/32 any address 172.17.47.0/27 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
sainfo address 172.17.47.0/27 any address 192.168.2.1/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } sainfo address 172.25.50.28/32 any address 1.1.1.1/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate ; }
sainfo address 1.1.1.1/32 any address 172.25.50.28/32 any { pfs_group 2; lifetime time 12 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
--
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
carlopmart -
Feizhou -
Michael D. Kralka -
mike.redan@bell.ca