CentOS - Aug 2006 - Connecting CentOS to IPSEC VPN (Checkpoint FW1)

Hi,

Does anyone have experience using IPSEC on CentOS in order to connect to 
vendor IPSEC-based VPN products (specifically Checkpoint FW1) ?

Is the included IPSEC implementation sufficient, or do people have to rely 
on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm interested
with
experiences others have had and things to look out for.

Thanks in advance,
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[all I want is a warm bed and a kind word and unlimited power]

Heya,

I've created IPSec tunnels to netscreen devices from CentOS using the
built-in ipsec-tools (aka racoon), but had to upgrade to a newer version
(0.6.5 at the time) because I needed NAT-T and X-Auth support. The only
real catch I had was that I needed to upgrade to kernel 2.6.16 or newer
to get the IPTables and NAT'ing to work properly coming out of the
tunnel.

The other fun part was trying to line up vendor terminology vs racoon
terminology.

Never tried to connect to a checkpoint device...but that NAT'ing problem
took a few weeks to track down that I needed to upgrade the kernel, so I
figured I would mention it!

Mike
-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Dag Wieers
Sent: August 21, 2006 9:12 AM
To: centos at centos.org
Subject: [CentOS] Connecting CentOS to IPSEC VPN (Checkpoint FW1)


Hi,

Does anyone have experience using IPSEC on CentOS in order to connect to

vendor IPSEC-based VPN products (specifically Checkpoint FW1) ?

Is the included IPSEC implementation sufficient, or do people have to
rely 
on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm interested
with 
experiences others have had and things to look out for.

Thanks in advance,
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[all I want is a warm bed and a kind word and unlimited power]
_______________________________________________
CentOS mailing list
CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos

Dag,

  Using Openswan, racoon, etc ... as a IPSEC gateway to interoperate 
with CP FW-1 NG R55, NGX and so on is possible, but it is not possible 
to configure as a roadwarrior linux client.

Bye.



Dag Wieers wrote:
> Hi,
> 
> Does anyone have experience using IPSEC on CentOS in order to connect to 
> vendor IPSEC-based VPN products (specifically Checkpoint FW1) ?
> 
> Is the included IPSEC implementation sufficient, or do people have to rely 
> on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm
interested with
> experiences others have had and things to look out for.
> 
> Thanks in advance,
> --   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
> [all I want is a warm bed and a kind word and unlimited power]
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
-- 
CL Martinez
carlopmart {at} gmail {d0t} com

Quoting Dag Wieers <dag at wieers.com>:
> Hi,
>
> Does anyone have experience using IPSEC on CentOS in order to connect to
> vendor IPSEC-based VPN products (specifically Checkpoint FW1) ?
>
> Is the included IPSEC implementation sufficient, or do people have to rely
> on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm
interested with
> experiences others have had and things to look out for.
Depends on what you want to do.

The IPSec implementation in default kernel just works.  On its own.   
Some things might not be really intuitive to figure out (such as  
routing wich is now affected by both routing table and IPSec policy,  
and the IPSec tunnels do not have virtual interfaces).

If you want to use only IPSec, the default config files in  
/etc/sysconfig/network-scripts should do the job for most network  
configs.  If you have something exotic, you might need to script a bit  
yourself.

If the other side uses GRE inside IPSec (seems to be common setup on  
Cisco routers that also run BGP), you'll need to script a bit  
yourself.  2.6 kernels do both GRE and IPSec, and the combination of  
two nicely.  However, there are no provisions for GRE in initscripts  
(check Linux Advanced Routing HOWTOs on how to use "ip tunnel" command
to setup GRE).

However, do note that there are some unsolved bugs in Netfilter that  
affect IPSec traffic.  So if you want to have both firewall and IPSec  
on the same machine, there's couple of things to watch out.  They will  
never be fixed in CentOS4/RHEL4 since fixing them would break kernel  
ABI,  That's response I got from RH, see these bugzillas:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165359
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374

Also, if you want to combine GRE with IPSec with Netfilter, you'd need  
to configure IPSec in tunnel mode (common setup for GRE inside IPSec  
is transport mode, since GRE is already handling tunneling).  The bugs  
in Netfilter just get more severe when using transport mode.

-- 
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season.  For more info, visit http://www.8-P.ca/