[CentOS] VPN

Mon May 30 14:15:41 UTC 2005
Aleksandar Milivojevic <amilivojevic at pbl.ca>

Feizhou wrote:
> Hi Simone,
> 
> Are you using CentOS 4?
> 
> If you are, the 2.6 kernel comes with openswan, freeswan is dead.
> 
> CentOS 4 comes with ipsec-tools to configure ipsec tunnels.

I believe ipsec tools (and configuration utilities) in CentOS4 use 
native 2.6 kernel IPSec (no *swan).  I also don't see openswan packages 
included in the CentOS4 distribution.

Anyhow, native IPSec Linux kernel support in CentOS4 is totaly broken at 
the moment.  Things should improve with U1 and be completely fixed in U2 
(hopefully).  In the meantime, for those that want to use it, there's 
test kernel and updated ipsec-tools packages on Bill Notting's page:

http://people.redhat.com/notting/ipsec/

The kernel packages contains fixes for IPSec related kernel panics and 
racoon keying loop problem when AH tunnel is used.  I don't think all 
the fixes from 2.6.9-5.0.3.EL.notting.ipsec are present in 
2.6.9-5.0.5.EL kernel (so folks might want to stick with Bill's kernel 
package).

Also, those attempting to configure IPSec "the Red Hat way" (instead of 
manually writing their own init.d scritps), must check out these bug 
reports and manually apply some or all fixes to ifup-ipsec and 
ifdown-ipsec scripts.  Make sure to read all comments.

patches to make AH tunnel optional (and more):
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122452

route patch:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169

overlapping networks:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150862

I've attached latest ifup-ipsec and ifdown-ipsec scripts that work for 
me to bug #122452 (as a patch against stock scrtips).

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7