[CentOS] Connecting CentOS to IPSEC VPN (Checkpoint FW1)

Mon Aug 21 14:59:21 UTC 2006
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting Dag Wieers <dag at wieers.com>:

> Hi,
>
> Does anyone have experience using IPSEC on CentOS in order to connect to
> vendor IPSEC-based VPN products (specifically Checkpoint FW1) ?
>
> Is the included IPSEC implementation sufficient, or do people have to rely
> on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm interested with
> experiences others have had and things to look out for.

Depends on what you want to do.

The IPSec implementation in default kernel just works.  On its own.   
Some things might not be really intuitive to figure out (such as  
routing wich is now affected by both routing table and IPSec policy,  
and the IPSec tunnels do not have virtual interfaces).

If you want to use only IPSec, the default config files in  
/etc/sysconfig/network-scripts should do the job for most network  
configs.  If you have something exotic, you might need to script a bit  
yourself.

If the other side uses GRE inside IPSec (seems to be common setup on  
Cisco routers that also run BGP), you'll need to script a bit  
yourself.  2.6 kernels do both GRE and IPSec, and the combination of  
two nicely.  However, there are no provisions for GRE in initscripts  
(check Linux Advanced Routing HOWTOs on how to use "ip tunnel" command  
to setup GRE).

However, do note that there are some unsolved bugs in Netfilter that  
affect IPSec traffic.  So if you want to have both firewall and IPSec  
on the same machine, there's couple of things to watch out.  They will  
never be fixed in CentOS4/RHEL4 since fixing them would break kernel  
ABI,  That's response I got from RH, see these bugzillas:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165359
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374

Also, if you want to combine GRE with IPSec with Netfilter, you'd need  
to configure IPSec in tunnel mode (common setup for GRE inside IPSec  
is transport mode, since GRE is already handling tunneling).  The bugs  
in Netfilter just get more severe when using transport mode.

-- 
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season.  For more info, visit http://www.8-P.ca/