[CentOS] racoon and ipsec issues

Thu Jul 17 16:44:15 UTC 2008
Timothy Selivanow <timothy.selivanow at virtualxistenz.com>

On Thu, 2008-07-17 at 00:03 -0700, Bill Campbell wrote:
> I am attempting to create an ipsec tunnel between two CentOS 5.1
> systems, network-to-network with two different 192.168.xxx.0/24
> LAN segments.
<snipped>

As someone who has a similar setup to what you are wanting, it sounds
like either the route, or a problem with the SRCGW/DSTGW.  If your two
networks are 192.168.100.0/24 and 192.168.200.0/24 for sites A and B,
respectively, with public IPs 1.1.1.1 and 2.2.2.2 (respectively, again),
then you will want something like the following:

Site A ifcfg-ipsec0:
TYPE=IPSEC
SRCGW=192.168.100.1
DSTGW=192.168.200.1
SRCNET=192.168.100.0/24
DSTNET=192.168.200.0/24
DST=2.2.2.2

Site B ifcfg-ipsec0:
TYPE=IPSEC
SRCGW=192.168.200.1
DSTGW=192.168.100.1
SRCNET=192.168.200.0/24
DSTNET=192.168.100.0/24
DST=1.1.1.1

You will want to make sure that no NAT'ing is occurring for traffic that
wants to flow from site A to B (and vice-versa).  I also have a static
route set up, as I was having some problems with it automatically
setting when the ipsec "interface" was set up.  For this example, I'm
assuming that both Site A and B have two physical interfaces, eth0 and
eth1, that have the public and private addresses.

Site A interfaces:
eth0: 1.1.1.1
eth1: 192.168.100.1

Site B interfaces:
eth0: 2.2.2.2
eth1: 192.168.200.1

Site A route-eth1:
192.168.200.0/24 via 192.168.100.1

Site B route-eth1:
192.168.100.0/24 via 192.168.200.1


On a closing note, you are correct in observing that there is no longer
an "ipsec0" or similar interface.  I started to explain why...but it got
too long.  If you would like a crash course on kernel IPSec behaviour,
let me know and I'll write up a short one with some further reading
linked.

I hope this helps.


--Tim