IPSec implementation has been changed in recent Redhat Enterprise Linux (RHEL) from ipsec tools (used in RHEL 5) to openswan in RHEL 6. Configuration using ifcfg-ipsec interfaces doesn’t works any more. Obviously, same change applies for Centos.
Installing openswan is simple
yum install openswan
Uncomment line in /etc/ipsec.conf
Now all configuration can be stored in /etc/ipsec.d
Here is real life example of IPSec tunnel using openswan between Centos 6 and Cisco (7200):
conn telekom type=tunnel authby=secret auth=esp ikelifetime=86400s keylife=86400s esp=3des-sha1 ike=3des-sha1-modp1024 keyexchange=ike pfs=yes #local - centos left=your_server_public_ip leftsubnet=192.168.0.185/32 leftsourceip=192.168.0.185 #remote - cisco right=195.91.X.Y rightsubnet=192.168.200.27/32 # auto=add auto=start
195.91.X.Y your_server_public_ip: PSK "blabla"
After starting ipsec service
service ipsec start
we are able to ping remote side
ping -I 192.168.0.185 192.168.200.27
PING 192.168.200.27 (192.168.200.27) from 192.168.0.185 : 56(84) bytes
64 bytes from 192.168.200.27: icmp_seq=1 ttl=56 time=1.90 ms
To debug connection set auto=add in <connection-name>.conf file and use command
ipsec -v auto --up <connection-name>
HI, Thank you for your explnation and sample files, I did follow them, however I am getting an error as follows:
failed to start openswan IKE daemon – the following error occured:
can not load config ‘/etc/ipsec.conf’: /etc/ipsec.d/file_name.secrets:2: syntax error, unexpected STRING, expecting $end [remotehostip]
Hi, secrets filename should match conf filename in /etc/ipsec.d/ and it must be same as “conn” parameter in this conf file. In the example it is “telekom”. Just replace “telekom” everywhere from example with your name.