I've been successful with this for ubuntu, CentOS, debian and fedora. I can't get it to work with red hat. I am trying to buiild a gre ipsec tunnel between this red had box and a Cisco router. Enclosed are the configs for both and ping tests between the two sites. From the outputs you will see that I am able to get isakmp working (phase 1), but not IPSEC (phase 2). From the debugs you see that when each site is trying to ping the other site's tunnel address, each is encrypting their packets, and the packets are reaching the other end, BUT neither end is answering the esp (encryption) packets that are recieved. And no traffic can pass thru either.
The Cisco error message "IPSEC SA failed identity check" indicates that the acls (for the "interesting traffic" ) is not mirrored properly. I checked that and they are mirrored so it has to be something else.
I am using racoon to encrypt a GRE tunnel.
NOTE: The ipsec-tools are not the absolute latest version. Won't know until it is checked again in two days. If that is a show stopper please let me know now. Otherwise I prefer to use the version that is already installed and don't want to upgrade it if I don't have to.
The legend for the enclosed documents:
router IP is 12.127.x.x
router loopback IP (used as tunnel source) is 10.5.5.x
router GRE tunnel interface is 10.1.1.2
red hat server ip is 22.214.171.124
There is an asa in front ot the server and I verified that the ipsec protocals are allowed thru. In fact I am allowing ALL IP from the router thru the asa to the server. So the asa is really a nat wall for the server and the server static IP is 192.168.5.x
red hat server tunnel interface is 10.1.1.1