I am attempting to create an ipsec tunnel between two CentOS 5.1 systems, network-to-network with two different 192.168.xxx.0/24 LAN segments. I have gone through the documentation on the centos web site, and have the machines to the point where the /var/log/messages show ``IPsec-SA established'' on both machines after runnig ``ifup ipsec0'' (same ipsec0 on each machine). IP forwarding is configured in /etc/sysctl.conf and in the proper /proc ``file''. ``netstat -rn'' shows a reasonable looking route on each machine with the gateway as the private IP for the internal LAN. The iptables on each machine are totally clear with no filters. Attempting to ping the private interface on the remote machine results in this where the xx.xx... is the IP address of the public LAN.>From xx.xx.xxx.xxx icmp_seq=2 Destination Host UnreachableRunning tcpdump on another Linux box on the remote network that is our main connection to the internet so sits between the remote machine and our T1 does not show any packets from the machine attempting to ping the remote or attempting to make an ssh connection to the remote machine's private IP. At this point I'm at a loss as what to try to debug this. My previous IPsec experience was with Freeswan on an older SuSE box which is quite different in the system setup. The centos/rh documentation is not totally clear what IP is meant by SRCGW, but looking at the ifcfg-ipsec script, it assigns the private IP of the internal network NIC if SRCGW is not set. I expected to see an ``ipsec0'' device from ``ifconfig'', as was done with freeswan, but either that's not the case with ipsec-tools or I have something hosed. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Liberty don't work as good in practice as it does in speeches. Will Rogers
On Thu, 2008-07-17 at 00:03 -0700, Bill Campbell wrote:> I am attempting to create an ipsec tunnel between two CentOS 5.1 > systems, network-to-network with two different 192.168.xxx.0/24 > LAN segments.<snipped> As someone who has a similar setup to what you are wanting, it sounds like either the route, or a problem with the SRCGW/DSTGW. If your two networks are 192.168.100.0/24 and 192.168.200.0/24 for sites A and B, respectively, with public IPs 1.1.1.1 and 2.2.2.2 (respectively, again), then you will want something like the following: Site A ifcfg-ipsec0: TYPE=IPSEC SRCGW=192.168.100.1 DSTGW=192.168.200.1 SRCNET=192.168.100.0/24 DSTNET=192.168.200.0/24 DST=2.2.2.2 Site B ifcfg-ipsec0: TYPE=IPSEC SRCGW=192.168.200.1 DSTGW=192.168.100.1 SRCNET=192.168.200.0/24 DSTNET=192.168.100.0/24 DST=1.1.1.1 You will want to make sure that no NAT'ing is occurring for traffic that wants to flow from site A to B (and vice-versa). I also have a static route set up, as I was having some problems with it automatically setting when the ipsec "interface" was set up. For this example, I'm assuming that both Site A and B have two physical interfaces, eth0 and eth1, that have the public and private addresses. Site A interfaces: eth0: 1.1.1.1 eth1: 192.168.100.1 Site B interfaces: eth0: 2.2.2.2 eth1: 192.168.200.1 Site A route-eth1: 192.168.200.0/24 via 192.168.100.1 Site B route-eth1: 192.168.100.0/24 via 192.168.200.1 On a closing note, you are correct in observing that there is no longer an "ipsec0" or similar interface. I started to explain why...but it got too long. If you would like a crash course on kernel IPSec behaviour, let me know and I'll write up a short one with some further reading linked. I hope this helps. --Tim