Freeswan (CentOS 4.5)
Howard Wilkinson
howard at cohtech.com
Tue Jan 8 08:59:07 UTC 2008
tony.chamberlain at lemko.com wrote:
>
>
> Has anyone had experience with Freeswan?
>
> We have a situation where say there is a Linux machine in City 1 with
> IP address 10.0.0.10 (for example)
> and a Linux machine in City 2 with an IP address of 10.0.0.20 (for
> example). Now these machines are
> in different cities, so machine 1 cannot just open a socket on
> 10.0.0.20 because machine 2 is on a different
> network. Each machine does have a router, say City 1 is 65.15.47.28
> (for example). To get into City 1from
> outside the network you go through thr router, use 65.15.47.28 which
> routes into the LAN. The same for
> City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would
> have to send to 65.15.47.28 which would route
> it in. Problem is, its from address would be 10.0.0.10, which the
> machine at 10.0.0.20 wouldn't know about.
> A process on 10.0.0.20 would have to do something similar to respond.
>
> Now these machines have to actually be able to use each others'
> 10.0.0.X addresses. I assume this is possible
> via a VPN. They don't have any Cicsco VPNs or anything, and they
> asked whether it is possible just using
> Linux (CentOS) to set up a VPN. I did a bit of searching and found a
> couple things. Freeswan seemed to be
> the most promising, though other packages could be just as good.
>
> Is the above scenario possible with Freeswan or can you recommend some
> other way?
>
>
> Thanks
We use FreeSwan in our firewalls to link sites together to produce just
such a scheme as you describe. The setup for fixed IP addresses at each
end is easy and can be based around pre-shared keys, or RSA signatures.
We tend to use the latter as it is slightly stronger in practice.
The major headaches are not with the IPSEC tunnels, they tend to be in
the firewall settings to allow the IPSEC traffic through and in the
routing. For the first we use Shorewall and for the second we run BGP to
support route failover if a firewall connection goes down.
Our configuration has been used with FreeSWAN and now with OpenSWAN
which is the later replacement for the product.
IPSEC connections are robust once established but can be very tricky to
get going for the first time. Interoperability is always an issue but so
far the only combination we have had long term trouble with is OpenSWAN
to Netscreen.
If you go down this route use a late release 2.6.x kernel ... Fedora 7
works nicely.
Howard.
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
23 Northampton Square,
Mobile:
+44(7980)639379
United Kingdom, EC1V 0HL
Email:
howard at cohtech.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20080108/e787ebac/attachment-0001.html
More information about the users
mailing list