IPSec implementation has been changed in recent Redhat Enterprise Linux (RHEL) from ipsec tools (used in RHEL 5) to openswan in RHEL 6. Configuration using ifcfg-ipsec interfaces doesn’t works any more. Obviously, same change applies for Centos.
Installing openswan is simple
yum install openswan
Uncomment line in /etc/ipsec.conf
include /etc/ipsec.d/*.conf
Now all configuration can be stored in /etc/ipsec.d
Here is real life example of IPSec tunnel using openswan between Centos 6 and Cisco (7200):
/etc/ipsec.d/telekom.conf
conn telekom
type=tunnel
authby=secret
auth=esp
ikelifetime=86400s
keylife=86400s
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
pfs=yes
#local - centos
left=your_server_public_ip
leftsubnet=192.168.0.185/32
leftsourceip=192.168.0.185
#remote - cisco
right=195.91.X.Y
rightsubnet=192.168.200.27/32
# auto=add
auto=start
/etc/ipsec.d/telekom.secrets
195.91.X.Y your_server_public_ip: PSK "blabla"
After starting ipsec service
service ipsec start
we are able to ping remote side
ping -I 192.168.0.185 192.168.200.27
PING 192.168.200.27 (192.168.200.27) from 192.168.0.185 : 56(84) bytes
of data.
64 bytes from 192.168.200.27: icmp_seq=1 ttl=56 time=1.90 ms
To debug connection set auto=add in <connection-name>.conf file and use command
ipsec -v auto --up <connection-name>
HI, Thank you for your explnation and sample files, I did follow them, however I am getting an error as follows:
failed to start openswan IKE daemon – the following error occured:
can not load config ‘/etc/ipsec.conf’: /etc/ipsec.d/file_name.secrets:2: syntax error, unexpected STRING, expecting $end [remotehostip]
Hi, secrets filename should match conf filename in /etc/ipsec.d/ and it must be same as “conn” parameter in this conf file. In the example it is “telekom”. Just replace “telekom” everywhere from example with your name.