IPSec tunnel

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

I'm testing IPSec tunnels, having the following test schemma:

Host A - eth0: 192.168.1.67
         eth1: 192.168.10.1

Host B - eth0: 192.168.1.254
         eth1: 192.168.20.1


I've succesfully configured an IPSec tunnel in order to safely communicate from 192.168.10.0/24 (which is obviously behind Host A), and 192.168.20.0/24 (obviously behind Host B)

In this test schema, both Hosts are Linux machines.

Now, I have to setup an IPSec tunnel with a third party. They will be using a Cisco router to enable IPSec, being their private LAN which will communicate with mine, behind that Csico.

Supposing Host A was their Cisco router... is it possible to make the tunnel in order to communicate 192.168.10.0/24 directly to 192.168.1.254?

I mean, I want to run my application which will communicate with this third party on the same host which will implement the IPSec.

With the actual configuration, if I origin some traffic to be sent to 192.168.10.0/24, direcly from Host B, it will try to go out using 192.168.1.254 as source IP address, and it doesn't reach it's destination, since the tunnel works if the source address belongs to 192.168.20.0/24

So, is it possible to do what I want?? Origian my traffic to 192.168.10.0/24 directly from Host B, using IPSec?

Is it a matter of my IPSec conf, or I must do some NAT trick or something to achieve this??


This is my actual configuration for Host A:


#/etc/ipsec.conf
#
#!/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.10.0/24 192.168.20.0/24 any -P out ipsec
           esp/tunnel/192.168.0.67-192.168.0.254/require;

spdadd 192.168.20.0/24 192.168.10.0/24 any -P in ipsec
           esp/tunnel/192.168.0.254-192.168.0.67/require;


--------

#/etc/raccon/raccon.conf
#
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

remote 192.168.0.254
{
        exchange_mode main;
        lifetime time 8 hour;   # sec,min,hour

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 192.168.10.0/24 any address 192.168.20.0/24 any
{
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


---


The configuration for Host B is similar but the other way round..

Thanks in advance,

Juan
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux