IPSEC with Bridged network [message #32854] |
Wed, 03 September 2008 07:49 |
jmslkn
Messages: 19 Registered: June 2007
|
Junior Member |
|
|
Hi All,
I am working on an IPSEC tunnel between OpenVZ HN to a company network. The IPSEC tunnel (openswan) is up and running, but I have problems with the packet routinng, travelling. Please do not tell me to use OpenVPN (we already have), we need IPSEC tunnel also to connect a company network (cisco router).
The network is bridged, the virtual servers have private IP address (10.10.10.0/24) and the machines are accessible with a local OpenVPN connection (which is works well).
http://www.jvds.com/guide/bridging.php
The virtual server network is 10.10.10.0/24, and the remote connection (cisco) network is 10.70.70.0/24.
What is the correct way to set up the routes between the two sites?
I have found a conflicting configuration options between the OpenVZ documentation and the OpenSwan implementation:
1) OpenVZ configuration states that we do not want all our interfaces to send redirects:
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
2) OpenSwan documentation (selfcheck) states that:
$ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.14/K2.6.18-92.1.1.el5.028stab057.2 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Any idea? Thanks for your help.
|
|
|