Re: [CentOS] Connecting CentOS to IPSEC VPN (Checkpoint FW1)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Quoting Dag Wieers <dag@xxxxxxxxxx>:


Hi,

Does anyone have experience using IPSEC on CentOS in order to connect to
vendor IPSEC-based VPN products (specifically Checkpoint FW1) ?

Is the included IPSEC implementation sufficient, or do people have to rely
on OpenSWAN or FreeSWAN ? I'd be testing tomorrow and I'm interested with
experiences others have had and things to look out for.


Depends on what you want to do.
The IPSec implementation in default kernel just works. On its own. Some things might not be really intuitive to figure out (such as routing wich is now affected by both routing table and IPSec policy, and the IPSec tunnels do not have virtual interfaces).
If you want to use only IPSec, the default config files in /etc/sysconfig/network-scripts should do the job for most network configs. If you have something exotic, you might need to script a bit yourself.
If the other side uses GRE inside IPSec (seems to be common setup on Cisco routers that also run BGP), you'll need to script a bit yourself. 2.6 kernels do both GRE and IPSec, and the combination of two nicely. However, there are no provisions for GRE in initscripts (check Linux Advanced Routing HOWTOs on how to use "ip tunnel" command to setup GRE).
However, do note that there are some unsolved bugs in Netfilter that affect IPSec traffic. So if you want to have both firewall and IPSec on the same machine, there's couple of things to watch out. They will never be fixed in CentOS4/RHEL4 since fixing them would break kernel ABI, That's response I got from RH, see these bugzillas: 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165359
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143374
Also, if you want to combine GRE with IPSec with Netfilter, you'd need to configure IPSec in tunnel mode (common setup for GRE inside IPSec is transport mode, since GRE is already handling tunneling). The bugs in Netfilter just get more severe when using transport mode. 

--
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season.  For more info, visit http://www.8-P.ca/

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux