I have Cisco Linksys router configured as VPN gateway (network to network) :
Now I wanna configure ipsec VPN similarly on Centos 6 with openswan. I was looking in internet but have no luck (there are some tutorials but they are not similar to my situation or outdated for ipsec-tools and centos 4). Reading man peges for openswan give me only headache(). On remote site there is some checkpoint device (all I know about configuration is this screenshot from Linksys panel with already configured vpn tunnel).
I'm not google hacker but know how to use it and maybe there is some tutorial that will help me but and didnt find it myself.
I installed already openswan but if there is any better software and solution (on Centos) I dont mind to use it.
EDIT1: After reading MadHatter answare I started to combinig with different config... and I get lost ... I think I gave to small amount of information.
So first the screenshot from Linksys Manager VPN gatwey to gatey site:
In section Local Group Setup: Ip in grey boxes (Ip address d.168.1.67) is ip that I think Linksys is getting from Checkpoint on far side, it's not possible to change that parameter. Next is Ip address (e.199.1.0/24) in white boxes, that is my local network.
In section Remote Group Setup: Ip address a.b.c.4 is a public ip of Checkpoint on far side.
In third section there are parameters of ipsec tunnel connection.
This is second screen that I'm not sure that is significant but I'm pasting it anyway:
WAN1 ip is that one Checkpoint gives me. LAN is simple address of Linksys in local network.
With those screens and Mad's answare I write this ipsec config in /etc/ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf # #version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey # protostack=netkey # nat_traversal=yes # virtual_private= oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 #version 2.0 conn linksys-1 # Left endpoint, subnet behind it, next hop toward right keyingtries=0 left=a.b.c.4 #leftsubnet=a.b.c.4/32 (should I put here d.168.1.67/32 ???) leftnexthop=%defaultroute # Right endpoint, subnet behind it, next hop toward left right=d.168.1.67 rightsubnet=e.199.1.0/24 type=tunnel authby=secret #auth=esp keylife=59m ikelifetime=59m #esp=3des-md5-96 pfs=no #compress=no #keyexchange=ike auto=start #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/*.conf
And secret file /etc/ipsec.secret
d.168.1.67 a.b.c.4: PSK "secretPSK"
I completly dont understand this configuration despite MadHatter's efforts.
EDIT2: Logs from /var/log/messages after starting ipsec :
Jul 5 10:58:52 router-progr ipsec_starter[27724]: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:52 router-progr ipsec_starter[27725]: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:52 router-progr ipsec_setup: Starting Openswan IPsec 2.6.32... Jul 5 10:58:52 router-progr ipsec_setup: Using KLIPS/legacy stack Jul 5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected. Jul 5 10:58:52 router-progr kernel: padlock: VIA PadLock Hash Engine not detected. Jul 5 10:58:52 router-progr kernel: Intel AES-NI instructions are not detected. Jul 5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected. Jul 5 10:58:52 router-progr ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey Jul 5 10:58:52 router-progr kernel: NET: Registered protocol family 15 Jul 5 10:58:52 router-progr ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY Jul 5 10:58:52 router-progr ipsec_setup: Using NETKEY(XFRM) stack Jul 5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected. Jul 5 10:58:52 router-progr kernel: padlock: VIA PadLock Hash Engine not detected. Jul 5 10:58:52 router-progr kernel: Intel AES-NI instructions are not detected. Jul 5 10:58:52 router-progr kernel: padlock: VIA PadLock not detected. Jul 5 10:58:52 router-progr ipsec_setup: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:52 router-progr ipsec_starter[27810]: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:52 router-progr ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled Jul 5 10:58:53 router-progr ipsec_setup: ...Openswan IPsec started Jul 5 10:58:53 router-progr ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d Jul 5 10:58:53 router-progr pluto: adjusting ipsec.d to /etc/ipsec.d Jul 5 10:58:53 router-progr ipsec__plutorun: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:53 router-progr ipsec_starter[27821]: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:53 router-progr ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled Jul 5 10:58:53 router-progr ipsec__plutorun: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:53 router-progr ipsec_starter[27822]: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:53 router-progr ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled Jul 5 10:58:53 router-progr ipsec__plutorun: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:53 router-progr ipsec_starter[27826]: could not open include filename: '/etc/ipsec.d/*.conf' (tried and ) Jul 5 10:58:53 router-progr ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled Jul 5 10:58:53 router-progr ipsec__plutorun: 023 address family inconsistency in this connection=2 host=2/nexthop=0 Jul 5 10:58:53 router-progr ipsec__plutorun: 037 attempt to load incomplete connection Jul 5 10:58:53 router-progr ipsec__plutorun: 003 no secrets filename matched "/etc/ipsec.d/*.secrets" Jul 5 10:58:53 router-progr ipsec__plutorun: 021 no connection named "linksys-1" Jul 5 10:58:53 router-progr ipsec__plutorun: 000 initiating all conns with alias='linksys-1' Jul 5 10:58:53 router-progr ipsec__plutorun: 021 no connection named "linksys-1"