?
Solved

IPSec Site-to-Site and remote access in RHEL5/ Linux

Posted on 2009-05-05
10
Medium Priority
?
2,983 Views
Last Modified: 2013-12-16
How can I setup IPSec site-to-site and remote access IPSec VPN on RHEL5? Does RHEL5 come with any rpms or need to use other third-party vpn solution from openswan.org or strongswan.org.  Please send me the steps to install and configuration also.


0
Comment
Question by:Manojc3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 7

Accepted Solution

by:
darrickhartman earned 2000 total points
ID: 24314744
Here's a good starting place.

http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_security_guide/s1-ipsec-host2host.html

Note that CentOS 5 is binary compatible with RHEL5 so it should all work the same way.
Racoon is an IPsec implementation that will probably accomplish what you want to do.

Since you give no specifics about your network layout, I'm not going to sit here and guess where your RHEL5 device is in relation to the rest of the network (there's no mention if it IS the firewall or if it sits behind (NAT'ed) the firewall).
0
 

Author Comment

by:Manojc3
ID: 24315544
Well I want to use RHEL  with 2 interface one inside connected to internal network ip 192.168.1.0/24 and other outside connected with the internet IP Provided by ISP. This will perform NAT, SNAT, PAT and port forwarding like cisco PIX/ASA.  For IPSec VPN  will Racoon give site-to-stive VPN connecting  to a branch office IPSec router and also for mobile users to use Remote access IPSec with simple setup also suggest using preshared key and IPsec vpn client  for windows.
0
 
LVL 7

Expert Comment

by:darrickhartman
ID: 24361668
Manojc3

Sorry I missed your reply in my inbox.  Racoon can do remote access for site to site with both sides having a static IP very easily.  If you have the office with a static IP and the remote end points with dynamic IP addresses, you'll want to look for a 'road warrior' configuration.

This should get you going for the Road Warrior configuration.

http://www.howtoforge.com/racoon_roadwarrior_vpn

The other link in the original message should provide what you need for the site to site set up.
0
Understanding Linux Permissions

Linux for beginners: How to view the permissions associated with files and directories and also how you can change them.

 

Author Comment

by:Manojc3
ID: 24414619
Is there any more documents on Racoon configuration and setup. I have 2 network one with Linux RHEL5 with 2 NIC one interface real ISP ip and other ip 192.168.3.5 from  network 192.168.3.0/24   and other network is 192.168.5.0/24 gw 192.168.5.2 Dest as the real ISP provided IP. Also how to setup racoon with Cisco VPN concentrator Site-to-Site or Nortel router. I
0
 
LVL 7

Expert Comment

by:darrickhartman
ID: 24418548
The first link I posted in the first message gives you information on how to configure racoon.

Working with a Cisco or Nortel is outside of what you asked in the original question.  Use this question for the Racoon IPSec config on your Linux to Linux boxes then ask a new question for the Cisco VPN Concentrator questions.  They are somewhat related, but will have different answers.

0
 

Author Comment

by:Manojc3
ID: 24418682
I have setup  RHEL5 with racoon as you mentioned. To test I am trying to conncet to  other branch office which is having a cisco vpn concentrator 3005. I am able to establish IPsec site- to- site vpn tunnel from RHEL4( openswan & strongswan) to Cisco Vpn concentrator.  Some reason it fails to establis a tunnel with racoon i guess  the proposal does'nt match.  I appreciate if you have any more documents or examples on raccoon. Also is there any GUI tool for raccoon configuration like webmin module or so.
0
 
LVL 7

Expert Comment

by:darrickhartman
ID: 24418928
can you sanitize your current config information from the RHEL4 setup and post it here along with what you're trying with the racoon config?
0
 

Author Comment

by:Manojc3
ID: 24419432

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 8 hour ;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
include "/etc/racoon/139.141.148.135.conf";

File 139.141.148.135.conf
remote 139.141.148.135
{
        exchange_mode aggressive, main;
        my_identifier address 192.168.3.6;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}
File psk.txt
139.141.148.135  training


Working with stronswan ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
# version 2.0
config setup
        plutodebug=control
        charonstart=no
        virtual_private=%v4:192.168.0/16
        #crlcheckinterval=180
        nat_traversal=yes
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
conn testsite2site
        type=tunnel
        left=62.215.231.78
        leftsubnet=192.168.3.0/24
        right=139.141.148.135
        rightsubnet=192.168.5.0/24
        ike=3des-md5-modp1024
        keyexchange=ike
        pfs=no
        auto=start
conn rw
        right=%any
        keyexchange=ikev1
        auto=add
file ipsec.secrets
62.215.231.78  139.141.148.135: PSK  "training"
0
 

Author Comment

by:Manojc3
ID: 24603910
where can i get more documentation on Racoon. Also any gui utility or webmin module.

0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month9 days, 17 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question