Solved

IPSec Site-to-Site and remote access in RHEL5/ Linux

Posted on 2009-05-05
10
2,959 Views
Last Modified: 2013-12-16
How can I setup IPSec site-to-site and remote access IPSec VPN on RHEL5? Does RHEL5 come with any rpms or need to use other third-party vpn solution from openswan.org or strongswan.org.  Please send me the steps to install and configuration also.


0
Comment
Question by:Manojc3
  • 5
  • 4
10 Comments
 
LVL 7

Accepted Solution

by:
darrickhartman earned 500 total points
Comment Utility
Here's a good starting place.

http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_security_guide/s1-ipsec-host2host.html

Note that CentOS 5 is binary compatible with RHEL5 so it should all work the same way.
Racoon is an IPsec implementation that will probably accomplish what you want to do.

Since you give no specifics about your network layout, I'm not going to sit here and guess where your RHEL5 device is in relation to the rest of the network (there's no mention if it IS the firewall or if it sits behind (NAT'ed) the firewall).
0
 

Author Comment

by:Manojc3
Comment Utility
Well I want to use RHEL  with 2 interface one inside connected to internal network ip 192.168.1.0/24 and other outside connected with the internet IP Provided by ISP. This will perform NAT, SNAT, PAT and port forwarding like cisco PIX/ASA.  For IPSec VPN  will Racoon give site-to-stive VPN connecting  to a branch office IPSec router and also for mobile users to use Remote access IPSec with simple setup also suggest using preshared key and IPsec vpn client  for windows.
0
 
LVL 7

Expert Comment

by:darrickhartman
Comment Utility
Manojc3

Sorry I missed your reply in my inbox.  Racoon can do remote access for site to site with both sides having a static IP very easily.  If you have the office with a static IP and the remote end points with dynamic IP addresses, you'll want to look for a 'road warrior' configuration.

This should get you going for the Road Warrior configuration.

http://www.howtoforge.com/racoon_roadwarrior_vpn

The other link in the original message should provide what you need for the site to site set up.
0
 

Author Comment

by:Manojc3
Comment Utility
Is there any more documents on Racoon configuration and setup. I have 2 network one with Linux RHEL5 with 2 NIC one interface real ISP ip and other ip 192.168.3.5 from  network 192.168.3.0/24   and other network is 192.168.5.0/24 gw 192.168.5.2 Dest as the real ISP provided IP. Also how to setup racoon with Cisco VPN concentrator Site-to-Site or Nortel router. I
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Expert Comment

by:darrickhartman
Comment Utility
The first link I posted in the first message gives you information on how to configure racoon.

Working with a Cisco or Nortel is outside of what you asked in the original question.  Use this question for the Racoon IPSec config on your Linux to Linux boxes then ask a new question for the Cisco VPN Concentrator questions.  They are somewhat related, but will have different answers.

0
 

Author Comment

by:Manojc3
Comment Utility
I have setup  RHEL5 with racoon as you mentioned. To test I am trying to conncet to  other branch office which is having a cisco vpn concentrator 3005. I am able to establish IPsec site- to- site vpn tunnel from RHEL4( openswan & strongswan) to Cisco Vpn concentrator.  Some reason it fails to establis a tunnel with racoon i guess  the proposal does'nt match.  I appreciate if you have any more documents or examples on raccoon. Also is there any GUI tool for raccoon configuration like webmin module or so.
0
 
LVL 7

Expert Comment

by:darrickhartman
Comment Utility
can you sanitize your current config information from the RHEL4 setup and post it here along with what you're trying with the racoon config?
0
 

Author Comment

by:Manojc3
Comment Utility

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 8 hour ;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
include "/etc/racoon/139.141.148.135.conf";

File 139.141.148.135.conf
remote 139.141.148.135
{
        exchange_mode aggressive, main;
        my_identifier address 192.168.3.6;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}
File psk.txt
139.141.148.135  training


Working with stronswan ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
# version 2.0
config setup
        plutodebug=control
        charonstart=no
        virtual_private=%v4:192.168.0/16
        #crlcheckinterval=180
        nat_traversal=yes
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
conn testsite2site
        type=tunnel
        left=62.215.231.78
        leftsubnet=192.168.3.0/24
        right=139.141.148.135
        rightsubnet=192.168.5.0/24
        ike=3des-md5-modp1024
        keyexchange=ike
        pfs=no
        auto=start
conn rw
        right=%any
        keyexchange=ikev1
        auto=add
file ipsec.secrets
62.215.231.78  139.141.148.135: PSK  "training"
0
 

Author Comment

by:Manojc3
Comment Utility
where can i get more documentation on Racoon. Also any gui utility or webmin module.

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now