Quoting Dag Wieers <dag at wieers.com>: > Hi, > > Does anyone have experience using IPSEC on CentOS in order to connect to > vendor IPSEC-based VPN products (specifically Checkpoint FW1) ? > > Is the included IPSEC implementation sufficient, or do people have to rely > on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm interested with > experiences others have had and things to look out for. Depends on what you want to do. The IPSec implementation in default kernel just works. On its own. Some things might not be really intuitive to figure out (such as routing wich is now affected by both routing table and IPSec policy, and the IPSec tunnels do not have virtual interfaces). If you want to use only IPSec, the default config files in /etc/sysconfig/network-scripts should do the job for most network configs. If you have something exotic, you might need to script a bit yourself. If the other side uses GRE inside IPSec (seems to be common setup on Cisco routers that also run BGP), you'll need to script a bit yourself. 2.6 kernels do both GRE and IPSec, and the combination of two nicely. However, there are no provisions for GRE in initscripts (check Linux Advanced Routing HOWTOs on how to use "ip tunnel" command to setup GRE). However, do note that there are some unsolved bugs in Netfilter that affect IPSec traffic. So if you want to have both firewall and IPSec on the same machine, there's couple of things to watch out. They will never be fixed in CentOS4/RHEL4 since fixing them would break kernel ABI, That's response I got from RH, see these bugzillas: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165359 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374 Also, if you want to combine GRE with IPSec with Netfilter, you'd need to configure IPSec in tunnel mode (common setup for GRE inside IPSec is transport mode, since GRE is already handling tunneling). The bugs in Netfilter just get more severe when using transport mode. -- NOTICE: If you are not intended recipient, you are hereby notified that by reading this message you agreed not to disturb frogs during mating season. For more info, visit http://www.8-P.ca/