2

I have Cisco Linksys router configured as VPN gateway (network to network) : Configuration on Linksys router

Now I wanna configure ipsec VPN similarly on Centos 6 with openswan. I was looking in internet but have no luck (there are some tutorials but they are not similar to my situation or outdated for ipsec-tools and centos 4). Reading man peges for openswan give me only headache(). On remote site there is some checkpoint device (all I know about configuration is this screenshot from Linksys panel with already configured vpn tunnel).

I'm not google hacker but know how to use it and maybe there is some tutorial that will help me but and didnt find it myself.

I installed already openswan but if there is any better software and solution (on Centos) I dont mind to use it.

EDIT1: After reading MadHatter answare I started to combinig with different config... and I get lost ... I think I gave to small amount of information.

So first the screenshot from Linksys Manager VPN gatwey to gatey site:

In section Local Group Setup: Ip in grey boxes (Ip address d.168.1.67) is ip that I think Linksys is getting from Checkpoint on far side, it's not possible to change that parameter. Next is Ip address (e.199.1.0/24) in white boxes, that is my local network.

In section Remote Group Setup: Ip address a.b.c.4 is a public ip of Checkpoint on far side.

In third section there are parameters of ipsec tunnel connection.

This is second screen that I'm not sure that is significant but I'm pasting it anyway: Linksys System Summary screen

WAN1 ip is that one Checkpoint gives me. LAN is simple address of Linksys in local network.

With those screens and Mad's answare I write this ipsec config in /etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#





# Please place your own config files in /etc/ipsec.d/ ending in .conf
#
#version        2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
#       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#       protostack=netkey
#       nat_traversal=yes
#       virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0
#version 2.0
conn linksys-1
        # Left endpoint, subnet behind it, next hop toward right
        keyingtries=0
        left=a.b.c.4
        #leftsubnet=a.b.c.4/32 (should I put here d.168.1.67/32 ???)
        leftnexthop=%defaultroute
        # Right endpoint, subnet behind it, next hop toward left
        right=d.168.1.67
        rightsubnet=e.199.1.0/24
        type=tunnel
        authby=secret
        #auth=esp
        keylife=59m
        ikelifetime=59m
        #esp=3des-md5-96
        pfs=no
        #compress=no
        #keyexchange=ike
        auto=start
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

And secret file /etc/ipsec.secret

d.168.1.67 a.b.c.4: PSK "secretPSK"

I completly dont understand this configuration despite MadHatter's efforts.

EDIT2: Logs from /var/log/messages after starting ipsec :

Jul  5 10:58:52 router-progr ipsec_starter[27724]: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:52 router-progr ipsec_starter[27725]: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:52 router-progr ipsec_setup: Starting Openswan IPsec 2.6.32...
Jul  5 10:58:52 router-progr ipsec_setup: Using KLIPS/legacy stack
Jul  5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected.
Jul  5 10:58:52 router-progr kernel: padlock: VIA PadLock Hash Engine not detected.
Jul  5 10:58:52 router-progr kernel: Intel AES-NI instructions are not detected.
Jul  5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected.
Jul  5 10:58:52 router-progr ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
Jul  5 10:58:52 router-progr kernel: NET: Registered protocol family 15
Jul  5 10:58:52 router-progr ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
Jul  5 10:58:52 router-progr ipsec_setup: Using NETKEY(XFRM) stack
Jul  5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected.
Jul  5 10:58:52 router-progr kernel: padlock: VIA PadLock Hash Engine not detected.
Jul  5 10:58:52 router-progr kernel: Intel AES-NI instructions are not detected.
Jul  5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected.
Jul  5 10:58:52 router-progr ipsec_setup: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:52 router-progr ipsec_starter[27810]: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:52 router-progr ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul  5 10:58:53 router-progr ipsec_setup: ...Openswan IPsec started
Jul  5 10:58:53 router-progr ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul  5 10:58:53 router-progr pluto: adjusting ipsec.d to /etc/ipsec.d
Jul  5 10:58:53 router-progr ipsec__plutorun: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:53 router-progr ipsec_starter[27821]: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:53 router-progr ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul  5 10:58:53 router-progr ipsec__plutorun: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:53 router-progr ipsec_starter[27822]: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:53 router-progr ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul  5 10:58:53 router-progr ipsec__plutorun: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:53 router-progr ipsec_starter[27826]: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )
Jul  5 10:58:53 router-progr ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul  5 10:58:53 router-progr ipsec__plutorun: 023 address family inconsistency in this connection=2 host=2/nexthop=0
Jul  5 10:58:53 router-progr ipsec__plutorun: 037 attempt to load incomplete connection
Jul  5 10:58:53 router-progr ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul  5 10:58:53 router-progr ipsec__plutorun: 021 no connection named "linksys-1"
Jul  5 10:58:53 router-progr ipsec__plutorun: 000 initiating all conns with alias='linksys-1'
Jul  5 10:58:53 router-progr ipsec__plutorun: 021 no connection named "linksys-1"

1 Answer 1

1

To do it with OpenS/WAN, you want something like this in /etc/ipsec.conf:

conn linksys-1
        # Left endpoint, subnet behind it, next hop toward right
        keyingtries=0
        left=a.b.c.4
        leftsubnet=a.b.c.4/32
        leftnexthop=%defaultroute
        # Right endpoint, subnet behind it, next hop toward left
        right=d.168.1.67
        rightsubnet=e.199.1.0/24
        type=tunnel
        authby=secret
        #auth=esp
        keylife=59m
        ikelifetime=59m
        #esp=3des-md5-96
        pfs=no
        #compress=no
        #keyexchange=ike
        auto=start

and something like this in /etc/ipsec.secrets:

a.b.c.4 d.168.1.67: PSK "secret-goes-here"

This is assuming that the exterior ip address of the linksys is d.168.1.67, that the network behind it is e.199.1.0/24, that the public ip address of the C6 system is a.b.c.4, and that it only wants itself routed down the tunnel.

Don't forget not to make the elementary mistake of testing the tunnel by pinging the linksys from the C6 system. The linksys itself is not included in the tunnel; only traffic to hosts inside the e.199.1.0/24 network will be properly encrypted and tunneled.

This isn't supposed to be a complete guide, but hopefully it gives you a point from which to start that's a little further on than a blank canvas.

Edit: why did you show the linksys config if you want to connect the C6 box to the checkpoint one? Do you want to replace the linksys with the C6 box? If so, then what I wrote still applies, just substitute the IP addresses accordingly; essentially, left is your IP address, leftsubnet is the network at your end (probably just the same thing again, with a /32 appended), right is the far end's address, and rightsubnet is the far end's routed (often private) netblock. The two addresses, left and right, must appear in the ipsec.secrets file.

If you're not replacing the linksys but configuring the C6 box in addition, you will also need to reconfigure the checkpoint box, and that's beyond the scope of this answer.

3
  • a.b.c.4 is ip address of checkpoit vpn gateway that linksys i connected to ... this guide is something like I wanna connect from Centos 6 to linksys (correct me if I'm wrong).I wanna configure connection from C6(centos 6) to checkpoint) now its Linksys <--->checkpoint and I wanna C6<--->checkpoint. I'm grateful for your answare it gives much more of clues that 2 days of googling ;)
    – B14D3
    Commented Jul 4, 2013 at 10:29
  • Because I wanted to show example configuration, that I want to recreate on Centos and Openswan. :) and yes I want replace Linksys with Centos 6 server
    – B14D3
    Commented Jul 4, 2013 at 11:54
  • Great stuff, there you go, then. Good luck!
    – MadHatter
    Commented Jul 4, 2013 at 12:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .