Re: Freeswan (CentOS 4.5)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Title: Signature
[email protected] wrote:

Has anyone had experience with Freeswan?

We have a situation where say there is a Linux machine in City 1 with IP address (for example)
and a Linux machine in City 2 with an IP address of (for example).  Now these machines are
in different cities, so machine 1 cannot just open a socket on because machine 2 is on a different
network.  Each machine does have a router, say City 1 is (for example).  To get into City 1from
outside the network you go through thr router, use which routes into the LAN.  The same for
City 2.  For a unix process on to send to it would have to send to which would route
it in.  Problem is, its from address would be, which the machine at wouldn't know about.
A process on would have to do something similar to respond.

Now these machines have to actually be able to use each others' 10.0.0.X addresses.  I assume this is possible
via a VPN.  They don't have any Cicsco VPNs or anything, and they asked whether it is possible just using
Linux (CentOS) to set up a VPN.  I did a bit of searching and found a couple things.  Freeswan seemed to be
the most promising, though other packages could be just as good.

Is the above scenario possible with Freeswan or can you recommend some other way?

We use FreeSwan in our firewalls to link sites together to produce just such a scheme as you describe. The setup for fixed IP addresses at each end is easy and can be based around pre-shared keys, or RSA signatures. We tend to use the latter as it is slightly stronger in practice.

The major headaches are not with the IPSEC tunnels, they tend to be in the firewall settings to allow the IPSEC traffic through and in the routing. For the first we use Shorewall and for the second we run BGP to support route failover if a firewall connection goes down.

Our configuration has been used with FreeSWAN and now with OpenSWAN which is the later replacement for the product.

IPSEC connections are robust once established but can be very tricky to get going for the first time. Interoperability is always an issue but so far the only combination we have had long term trouble with is OpenSWAN to Netscreen.

If you go down this route use a late release 2.6.x kernel ... Fedora 7 works nicely.



Howard Wilkinson



Coherent Technology Limited



23 Northampton Square,



United Kingdom, EC1V 0HL


[email protected]


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux