tony.chamberlain@xxxxxxxxx wrote:
Has anyone had experience with Freeswan?
We have a situation where say there is a Linux machine in City 1 with
IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for
example). Now these machines are
in different cities, so machine 1 cannot just open a socket on
10.0.0.20 because machine 2 is on a different
network. Each machine does have a router, say City 1 is 65.15.47.28
(for example). To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which
routes into the LAN. The same for
City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would
have to send to 65.15.47.28 which would route
it in. Problem is, its from address would be 10.0.0.10, which the
machine at 10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.
Now these machines have to actually be able to use each others'
10.0.0.X addresses. I assume this is possible
via a VPN. They don't have any Cicsco VPNs or anything, and they asked
whether it is possible just using
Linux (CentOS) to set up a VPN. I did a bit of searching and found a
couple things. Freeswan seemed to be
the most promising, though other packages could be just as good.
Is the above scenario possible with Freeswan or can you recommend some
other way?
Thanks
We use FreeSwan in our firewalls to link sites together to produce just
such a scheme as you describe. The setup for fixed IP addresses at each
end is easy and can be based around pre-shared keys, or RSA signatures.
We tend to use the latter as it is slightly stronger in practice.
The major headaches are not with the IPSEC tunnels, they tend to be in
the firewall settings to allow the IPSEC traffic through and in the
routing. For the first we use Shorewall and for the second we run BGP
to support route failover if a firewall connection goes down.
Our configuration has been used with FreeSWAN and now with OpenSWAN
which is the later replacement for the product.
IPSEC connections are robust once established but can be very tricky to
get going for the first time. Interoperability is always an issue but
so far the only combination we have had long term trouble with is
OpenSWAN to Netscreen.
If you go down this route use a late release 2.6.x kernel ... Fedora 7
works nicely.
Howard.
--
|
Howard Wilkinson
|
Phone:
|
+44(20)76907075
|
|
Coherent Technology Limited
|
Fax:
|
|
|
23 Northampton Square,
|
Mobile:
|
+44(7980)639379
|
|
United Kingdom, EC1V 0HL
|
Email:
|
howard@xxxxxxxxxxx
|
|
