IPSec interop between RHEL 3 or 4 with ESP-only implementations?
Richard Bullington-McGuire
rbulling at pkrinternet.com
Thu May 11 18:36:52 UTC 2006
I've been doing some interoperability tests between RHEL and some other
IPSec implementations (FreeS/WAN and m0n0wall), without success.
I can get RHEL <-> RHEL IPSec tunnels to work fine, both between the same
RHEL versions and between versions 3 and 4. I've been using the IPSec
configuration tools mentioned in the System Administrator's Guide that use
/etc/sysconfig/network-scripts/ifcfg-ipsecX files to provide the master
information on the endpoints of the IPSec connection.
It seems that the /etc/sysconfig/network-scripts/ifup-ipsec script uses
the ipsec-tools programs (racoon, setkey) and manipulates their
configuration files to get the IPSec connection going. However, it creates
Security Policy Database (SPD) entries that require both AH and ESP
encapsulation of packets. Some IPSec implementations, such as FreeS/WAN
and m0n0wall, only offer one or the other. FreeS/WAN offers only ESP, they
dropped their support for AH a long time ago. m0n0wall offers either AH or
ESP, but not both. The last time I tested a LinkSys VPN firewall router,
it only supported ESP.
There's a Red Hat bug regarding this that I made some comments on:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150094
Has anyone gotten RHEL 3 or 4 to interoperate with either FreeS/WAN,
OpenSwan, the LinkSys BEFVP41, or other products that don't support both
ESP and AH simultaneously? It should be possible to either come up with
custom scripts that set up the SPD entries to only require ESP, or to
fix (ifup|ifdown)-ipsec to deal with ESP-only connections.
--
Richard Bullington-McGuire, Managing Partner, PKR Internet, LLC
Email: rbulling at pkrinternet.com Web: http://pkrinternet.com/
Phone: +1 (703) 271 0607 Fax: +1 (703) 271 0580
PGP key IDs: RSA: 0x9386230 DH/DSS: 0xDAC3028E
More information about the redhat-list
mailing list