Hello all, I''m currently looking at migrating 4 firewalls from RHEL3/CentOS3 towards RHEL4/CentOS4 at the same time moving from a full mesh openvpn towards a full mesh IPSec setup. I checked the shorewall ipsec pages and the mailinglist, but no definite answer to the following: Did redhat include the IPSec patches as mentioned on: http://www.shorewall.net/IPSEC-2.6.html I checked the source rpm and the patches included in there, but due to the huge amount (100 or so) I''m not a 100% sure. Is there a way I can quickly check this on a single test install inside vmware by some sort of iptables command or so? Thanks in advance, Stijn -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl> ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Stijn Jonker escribió:> Hello all, > > I''m currently looking at migrating 4 firewalls from RHEL3/CentOS3 > towards RHEL4/CentOS4 at the same time moving from a full mesh openvpn > towards a full mesh IPSec setup.Keep using OpenVPN. IMHO is one ofthe best solutions.>Did redhat include the IPSec patches as > mentioned on: http://www.shorewall.net/IPSEC-2.6.html >Probably not, Redhat''s kernels usually lacks of a lot of features. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
On Wednesday 19 October 2005 11:55, Stijn Jonker wrote:> > I checked the source rpm and the patches included in there, but due to > the huge amount (100 or so) I''m not a 100% sure. Is there a way I can > quickly check this on a single test install inside vmware by some sort > of iptables command or so? >gateway:/etc/shorewall# shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available <============== must be Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Available ROUTE Target: Not available Extended MARK Target: Available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available gateway:/etc/shorewall# -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Thanks for the answer, to keep the threat complete with the answer, but I''m out of luck. Now the decision custom kernel or openvpn ;-) RHEL4/CentOS4 output: [root@hn00tmp01 ~]# shorewall show capabilities WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available ROUTE Target: Not available Extended MARK Target: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available [root@hn00tmp01 ~]# uname -a Linux hn00tmp01.sjc.nl 2.6.9-22.EL #1 Sat Oct 8 17:48:27 CDT 2005 i686 i686 i386 GNU/Linux Stijn On 19-Oct-2005 22:57, Tom Eastep wrote:> On Wednesday 19 October 2005 11:55, Stijn Jonker wrote: > > >>I checked the source rpm and the patches included in there, but due to >>the huge amount (100 or so) I''m not a 100% sure. Is there a way I can >>quickly check this on a single test install inside vmware by some sort >>of iptables command or so? >> > > gateway:/etc/shorewall# shorewall show capabilities > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available <============== must be Available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Available > ROUTE Target: Not available > Extended MARK Target: Available > CONNMARK Target: Available > Connmark Match: Available > Raw Table: Available > CLASSIFY Target: Available > gateway:/etc/shorewall# > > -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl> ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
On Wednesday 19 October 2005 14:15, Stijn Jonker wrote:> Tom, > > Thanks for the answer, to keep the threat complete with the answer, but > I''m out of luck. Now the decision custom kernel or openvpn ;-) >I''ve personally switched to openvpn. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Eduardo Ferreira wrote on 19/10/2005 19:17:36:> On Wednesday 19 October 2005 14:15, Stijn Jonker wrote: > > Tom, > > > > Thanks for the answer, to keep the threat complete with the answer,but> > I''m out of luck. Now the decision custom kernel or openvpn ;-) > > > > I''ve personally switched to openvpn. > > -Tom > --I must second that. I''ve just set up today a new openvpn 2.0 server. Time to install, create keys and config server, three windows clients and a firewall in the way: 2 hours. how many hours would Kernel customization and the ipsec way take? cheers
> I''ve just set up today a new openvpn 2.0 server. Time to install, create > keys and config server, three windows clients and a firewall in the way: 2 > hours. how many hours would Kernel customization and the ipsec way take? > > cheersI too have tested openvpn at the suggestion of Tom and others. I find it excellent for access VPNs, but I''m also finding it a little lacking in the site-to-site VPN department. The client/server model just doesn''t work as well with site-to-site which is more of a peer to peer topology. Although openvpn can do p2p it''s nowhere near as clean as IPSec and seems to require multiple services/ports/interfaces to be used. Just my 1 1/2 cents. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
On Wednesday 19 October 2005 14:53, Cyber Dog wrote:> I too have tested openvpn at the suggestion of Tom and others. I find > it excellent for access VPNs, but I''m also finding it a little lacking > in the site-to-site VPN department. The client/server model just > doesn''t work as well with site-to-site which is more of a peer to peer > topology. Although openvpn can do p2p it''s nowhere near as clean as > IPSec and seems to require multiple services/ports/interfaces to be > used. Just my 1 1/2 cents.That topic came up on the OpenVPN list just today: James Yonan wrote:> On Wed, 19 Oct 2005, John wrote: >> I don''t want to be rude or so, but the "every OpenVPN tunnel has his own >> tun >> device en port number", as it was in pre 2.0 time, was a major drawback, >> and >> showstopper for a lot of people. And most people don''t want to go back that >> way. The setup I use, gave me a lot of iptables firewall headage in 1.5-1.6 >> time....> Why can''t a persistent peer connect the same way as the roadwarriers, i.e. > with the persistent peer being the initiator and the server being the > responder?> What is the functional benefit of creating a new "persistent peer" mode > over simply having the persistent peer act as a client?John was proposing a new mode that uses a single tun device but that works more like the pre-2.0 peer-to-peer mode (which as you have mentioned is still available). As you can see, James isn''t sold yet... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello All, On 20-Oct-2005 0:40, Tom Eastep wrote:> On Wednesday 19 October 2005 14:53, Cyber Dog wrote: > > >>I too have tested openvpn at the suggestion of Tom and others. I find >>it excellent for access VPNs, but I''m also finding it a little lacking >>in the site-to-site VPN department. The client/server model just >>doesn''t work as well with site-to-site which is more of a peer to peer >>topology. Although openvpn can do p2p it''s nowhere near as clean as >>IPSec and seems to require multiple services/ports/interfaces to be >>used. Just my 1 1/2 cents. >This is exactly my MINOR issue with OpenVPN, when connecting 5 sites in a full mesh, with zebra & bgp the number of interfaces (and the small ip nets) is what''s killing to operate and setup imho. This is actually how it''s setup right now. But I must say it''s working without flaws. Stijn -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl> ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
On Wednesday 19 October 2005 22:11, Stijn Jonker wrote:> Hello All, > > On 20-Oct-2005 0:40, Tom Eastep wrote: > > On Wednesday 19 October 2005 14:53, Cyber Dog wrote: > >>I too have tested openvpn at the suggestion of Tom and others. I find > >>it excellent for access VPNs, but I''m also finding it a little lacking > >>in the site-to-site VPN department. The client/server model just > >>doesn''t work as well with site-to-site which is more of a peer to peer > >>topology. Although openvpn can do p2p it''s nowhere near as clean as > >>IPSec and seems to require multiple services/ports/interfaces to be > >>used. Just my 1 1/2 cents. > > This is exactly my MINOR issue with OpenVPN, when connecting 5 sites in > a full mesh, with zebra & bgp the number of interfaces (and the small ip > nets) is what''s killing to operate and setup imho. This is actually how > it''s setup right now. > > But I must say it''s working without flaws.You might consider adopting the client/server model supported by OpenVPN 2.0 -- the real difference between multiple peer-to-peer tunnels and client/server is that in the latter, the client side must initiate the connection. It''s a lot easier to set up and manage. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key