[CentOS] racoon and ipsec issues

Thu Jul 17 21:43:28 UTC 2008
Bill Campbell <centos at celestial.com>

On Thu, Jul 17, 2008, Timothy Selivanow wrote:
>On Thu, 2008-07-17 at 00:03 -0700, Bill Campbell wrote:
>> I am attempting to create an ipsec tunnel between two CentOS 5.1
>> systems, network-to-network with two different 192.168.xxx.0/24
>> LAN segments.
><snipped>
>
>As someone who has a similar setup to what you are wanting, it sounds
>like either the route, or a problem with the SRCGW/DSTGW.  If your two
>networks are 192.168.100.0/24 and 192.168.200.0/24 for sites A and B,
>respectively, with public IPs 1.1.1.1 and 2.2.2.2 (respectively, again),
>then you will want something like the following:
>
>Site A ifcfg-ipsec0:
>TYPE=IPSEC
>SRCGW=192.168.100.1
>DSTGW=192.168.200.1
>SRCNET=192.168.100.0/24
>DSTNET=192.168.200.0/24
>DST=2.2.2.2
>
>Site B ifcfg-ipsec0:
>TYPE=IPSEC
>SRCGW=192.168.200.1
>DSTGW=192.168.100.1
>SRCNET=192.168.200.0/24
>DSTNET=192.168.100.0/24
>DST=1.1.1.1

These are the same as what I have with the appropriate IP and
CIDR blocks.

>You will want to make sure that no NAT'ing is occurring for traffic that
>wants to flow from site A to B (and vice-versa).  I also have a static
>route set up, as I was having some problems with it automatically
>setting when the ipsec "interface" was set up.  For this example, I'm
>assuming that both Site A and B have two physical interfaces, eth0 and
>eth1, that have the public and private addresses.

It each case these are machines that are directly connected to
the Internet with no NAT.

>Site A interfaces:
>eth0: 1.1.1.1
>eth1: 192.168.100.1
>
>Site B interfaces:
>eth0: 2.2.2.2
>eth1: 192.168.200.1
>
>Site A route-eth1:
>192.168.200.0/24 via 192.168.100.1
>
>Site B route-eth1:
>192.168.100.0/24 via 192.168.200.1
>
These are equivalent.

It appears to me that the ``ifup ipsec0'' command primarily wakes
racoon up to modify the /etc/racoon/racoon.conf file with the
appropriate include and to set the route, and ``ifdown'' mostly
removes the route.

>On a closing note, you are correct in observing that there is no longer
>an "ipsec0" or similar interface.  I started to explain why...but it got
>too long.  If you would like a crash course on kernel IPSec behaviour,
>let me know and I'll write up a short one with some further reading
>linked.

I would be very interested in this.

After letting things sit overnight, and seeing ``IPsec-SA
expired'' messages in /var/log/messages, I tried again this
afternoon. without success.  There are some things that seem
noteworthy to me.

  1.  There was no traffic between the machines until I started ``tcpdump''
      on one, at which time it initiated the handshaking with the machine
      here (one machine is here on M.I. the other in Kansas City).

  2.  When racoon starts, there is a message in /var/log/messages,
      ``racoon: ERROR: racoon: MLS support is not enabled''.  I haven't
      been able to figure out what that means.

  3.  The Kansas City machine is running kernel 2.6.18-53.1.14.el5 SMP,
      x86_64.

  4.  The M.I. machine is running 2.6.18-53.1.21.el5PAE SMP i686...

  5.  The M.I. machine hosts several VMware virtual machines so both its
      NICs are in promiscuous mode.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Perhaps, when committing your first federal crime, it would be unwise to
slap your name and address on it and mail it to 10,000 people. --Dogbert