Re: Freeswan (CentOS 4.5)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Signature
tony.chamberlain@xxxxxxxxx wrote:


Has anyone had experience with Freeswan?

We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example).  Now these machines are
in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on a different
network.  Each machine does have a router, say City 1 is 65.15.47.28 (for example).  To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which routes into the LAN.  The same for
City 2.  For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to 65.15.47.28 which would route
it in.  Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.

Now these machines have to actually be able to use each others' 10.0.0.X addresses.  I assume this is possible
via a VPN.  They don't have any Cicsco VPNs or anything, and they asked whether it is possible just using
Linux (CentOS) to set up a VPN.  I did a bit of searching and found a couple things.  Freeswan seemed to be
the most promising, though other packages could be just as good.

Is the above scenario possible with Freeswan or can you recommend some other way?


Thanks
We use FreeSwan in our firewalls to link sites together to produce just such a scheme as you describe. The setup for fixed IP addresses at each end is easy and can be based around pre-shared keys, or RSA signatures. We tend to use the latter as it is slightly stronger in practice.

The major headaches are not with the IPSEC tunnels, they tend to be in the firewall settings to allow the IPSEC traffic through and in the routing. For the first we use Shorewall and for the second we run BGP to support route failover if a firewall connection goes down.

Our configuration has been used with FreeSWAN and now with OpenSWAN which is the later replacement for the product.

IPSEC connections are robust once established but can be very tricky to get going for the first time. Interoperability is always an issue but so far the only combination we have had long term trouble with is OpenSWAN to Netscreen.

If you go down this route use a late release 2.6.x kernel ... Fedora 7 works nicely.

Howard.

--

Howard Wilkinson

Phone:

+44(20)76907075

Coherent Technology Limited

Fax:

 

23 Northampton Square,

Mobile:

+44(7980)639379

United Kingdom, EC1V 0HL

Email:

howard@xxxxxxxxxxx

 

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux