[CentOS] racoon and ipsec issues

Bill Campbell centos at celestial.com
Thu Jul 17 07:03:03 UTC 2008

I am attempting to create an ipsec tunnel between two CentOS 5.1
systems, network-to-network with two different 192.168.xxx.0/24
LAN segments.  I have gone through the documentation on the
centos web site, and have the machines to the point where the
/var/log/messages show ``IPsec-SA established'' on both machines
after runnig ``ifup ipsec0'' (same ipsec0 on each machine).

IP forwarding is configured in /etc/sysctl.conf and in the proper
/proc ``file''.

``netstat -rn'' shows a reasonable looking route on each machine
with the gateway as the private IP for the internal LAN.

The iptables on each machine are totally clear with no filters.

Attempting to ping the private interface on the remote machine
results in this where the xx.xx... is the IP address of the
public LAN.

>From xx.xx.xxx.xxx icmp_seq=2 Destination Host Unreachable

Running tcpdump on another Linux box on the remote network that
is our main connection to the internet so sits between the remote
machine and our T1 does not show any packets from the machine
attempting to ping the remote or attempting to make an ssh
connection to the remote machine's private IP.

At this point I'm at a loss as what to try to debug this.  My
previous IPsec experience was with Freeswan on an older SuSE box
which is quite different in the system setup.  The centos/rh
documentation is not totally clear what IP is meant by SRCGW, but
looking at the ifcfg-ipsec script, it assigns the private IP of
the internal network NIC if SRCGW is not set.

I expected to see an ``ipsec0'' device from ``ifconfig'', as was
done with freeswan, but either that's not the case with ipsec-tools
or I have something hosed.

INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Liberty don't work as good in practice as it does in speeches.
    Will Rogers

More information about the CentOS mailing list