Hi list, I am trying to create a VPN between two different locations. On the first location we have a cisco pix 525 Natting the internal 192.168.100.x network, while on the second location we have a Centos3 box Natting via iptables the internal 192.168.10.x netowrk. My goal is to connect this 2 over the internet via IPsec. I created the IPsec Net2Net via the network configuration graphic tool, and I configured the cisco following the howto http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html . From my understanding, I should have an ipsec0 network device showing up, so that I could route all traffic from 192.168.10.x directed to 192.168.100.x through it. The thing is that when I try to ifup ipsec0 I get the following errors:
modprobe: modprobe: Can't locate module ripemd160 modprobe: modprobe: Can't locate module cast128 modprobe: modprobe: Can't locate module lzs modprobe: modprobe: Can't locate module lzjh
So, after googling and reading a lot with no success, I would like to ask for advice on this, and successfull story :). I really need to have this VPN running, and I am not tied to this one solution only, linux-to-linux VPN, openVPN or anything else you could suggest would be great.
Thanks in advice
Simone
Freeswan is quite easy to use and setup, I have done hundreds over the last few years,
Including cisco <-> freeswan and Nortel <-> freeswan
what do you have in your ipsec.conf file ?
P.
Simone wrote:
Hi list, I am trying to create a VPN between two different locations. On the first location we have a cisco pix 525 Natting the internal 192.168.100.x network, while on the second location we have a Centos3 box Natting via iptables the internal 192.168.10.x netowrk. My goal is to connect this 2 over the internet via IPsec. I created the IPsec Net2Net via the network configuration graphic tool, and I configured the cisco following the howto http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html . From my understanding, I should have an ipsec0 network device showing up, so that I could route all traffic from 192.168.10.x directed to 192.168.100.x through it. The thing is that when I try to ifup ipsec0 I get the following errors:
modprobe: modprobe: Can't locate module ripemd160 modprobe: modprobe: Can't locate module cast128 modprobe: modprobe: Can't locate module lzs modprobe: modprobe: Can't locate module lzjh
So, after googling and reading a lot with no success, I would like to ask for advice on this, and successfull story :). I really need to have this VPN running, and I am not tied to this one solution only, linux-to-linux VPN, openVPN or anything else you could suggest would be great.
Thanks in advice
Simone _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Simone,
Are you using CentOS 4?
If you are, the 2.6 kernel comes with openswan, freeswan is dead.
CentOS 4 comes with ipsec-tools to configure ipsec tunnels.
Hi, and thanks. I am using CentOS3 at the moment. Thing is that the linuxbox is at the remote location and I can reach that now via an existing vpn that will be dead really soon. Since I'd rather not go there and reinstall and reconfigure the 2 boxes, and since an upgrade from centos 3 to 4 is not suggested, I am trying to find a solution that I can implement from here.I see CentOS3 comes with ipsec-tools 0.2.5 while CentOS4 with 0.3.3, is this a big difference? I'll have a look at openswan, thanks
Simone
Feizhou wrote:
Hi Simone,
Are you using CentOS 4?
If you are, the 2.6 kernel comes with openswan, freeswan is dead.
CentOS 4 comes with ipsec-tools to configure ipsec tunnels.
http://www.openswan.org/ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
BTW there is an openswan package for RHEL 3 here
http://www.openswan.org/download/binaries/rhel/3/i386/
Simone wrote:
Hi, and thanks. I am using CentOS3 at the moment. Thing is that the linuxbox is at the remote location and I can reach that now via an existing vpn that will be dead really soon. Since I'd rather not go there and reinstall and reconfigure the 2 boxes, and since an upgrade from centos 3 to 4 is not suggested, I am trying to find a solution that I can implement from here.I see CentOS3 comes with ipsec-tools 0.2.5 while CentOS4 with 0.3.3, is this a big difference? I'll have a look at openswan, thanks
Simone
Feizhou wrote:
Hi Simone,
Are you using CentOS 4?
If you are, the 2.6 kernel comes with openswan, freeswan is dead.
CentOS 4 comes with ipsec-tools to configure ipsec tunnels.
http://www.openswan.org/ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Feizhou wrote:
Hi Simone,
Are you using CentOS 4?
If you are, the 2.6 kernel comes with openswan, freeswan is dead.
CentOS 4 comes with ipsec-tools to configure ipsec tunnels.
I believe ipsec tools (and configuration utilities) in CentOS4 use native 2.6 kernel IPSec (no *swan). I also don't see openswan packages included in the CentOS4 distribution.
Anyhow, native IPSec Linux kernel support in CentOS4 is totaly broken at the moment. Things should improve with U1 and be completely fixed in U2 (hopefully). In the meantime, for those that want to use it, there's test kernel and updated ipsec-tools packages on Bill Notting's page:
http://people.redhat.com/notting/ipsec/
The kernel packages contains fixes for IPSec related kernel panics and racoon keying loop problem when AH tunnel is used. I don't think all the fixes from 2.6.9-5.0.3.EL.notting.ipsec are present in 2.6.9-5.0.5.EL kernel (so folks might want to stick with Bill's kernel package).
Also, those attempting to configure IPSec "the Red Hat way" (instead of manually writing their own init.d scritps), must check out these bug reports and manually apply some or all fixes to ifup-ipsec and ifdown-ipsec scripts. Make sure to read all comments.
patches to make AH tunnel optional (and more): https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122452
route patch: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169
overlapping networks: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150862
I've attached latest ifup-ipsec and ifdown-ipsec scripts that work for me to bug #122452 (as a patch against stock scrtips).
-
Aleksandar Milivojevic -
Feizhou -
Peter Farrow -
Simone