Network to Network IPSec VPN using RHEL/CentOS: separate VPN Router and LAN Gateway
in [Linux Networking]
|
Prev: Mail relay program that TRASHES ALL INCOMING MAIL?
Next: Mail relay program that TRASHES ALL INCOMING MAIL? [for what purpose?]
From: Shi on 6 May 2010 22:46 Hi there, I followed the RHEL documentation at http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html and was able to deploy network to network IPSec VPN between two private networks, as long as I set the IPSec Routers to be the same as the LAN gateways. But according to the documentation, it is possible to have the IPSec routers different from the LAN gateways. The image shown in the above cited page shows it. Also, it is even clearer depicted in an older documentation at http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-net2net.html especially with this image: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/figs/rhl-common/networkconfig/n-t-n-ipsec-diagram.png However, if I choose to have the Gateway different from the routers, then in the /etc/sysconfig/network-scripts/ifcfg-ipsec1 file, I need to specify the gateway IP address for SRCGW, which is different from the IP address of the IPSec router itself. Then I am not able to run the "ifup ipsec1" command and get the error of "RTNETLINK answers: Invalid argument". I googled around and people seemed to suggest that the SRCGW needs to the local intranet IP for the IPSec Router itself. But is this true if this router is different from the LAN gateway? Most likely, before the VPN is setup, there is already a LAN gateway for each private network which is functioning as a NAT and firewall. When VPN is introduced, we may want to leave the gateway alone and don't change the gateway setup for any of the LAN host at all. As long as the LAN gateway is able to forward VPN request to the IPSec Router, this should also work, right? But how do I get around the "RTNETLINK answers: Invalid argument" problem? Thank you very much. Shi |