8.2.2. IPsec Interfaces
With Red Hat Enterprise Linux it is possible to connect to other hosts or networks using a secure IP connection, known as IPsec. For instructions on setting up IPsec using the Network Administration Tool (
system-config-network), refer to the chapter titled Network Configuration in the System Administrators Guide. For instructions on setting up IPsec manually, refer to the chapter titled Virtual Private Networks in the Security Guide.
The following example shows the
ifcfgfile for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is
ipsec1, so the resulting file is named
TYPE=IPsec ONBOOT=yes IKE_METHOD=PSK SRCNET=192.168.1.0/24 DSTNET=192.168.2.0/24 DST=X.X.X.X
In the example above, X.X.X.X is the publicly routable IP address of the destination IPsec router.
Below is a listing of the configurable parameters for an IPsec interface:
DST=<address>, where <address> is the IP address of the IPsec destination host or router. This is used for both host-to-host and network-to-network IPsec configurations.
DSTNET=<network>, where <network> is the network address of the IPsec destination network. This is only used for network-to-network IPsec configurations.
SRC=<address>, where <address> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.
SRCNET=<network>, where <network> is the network address of the IPsec source network. This is only used for network-to-network IPsec configurations.
TYPE=<interface-type>, where <interface-type> is
IPSEC. Both applications are part of the
/usr/share/doc/initscripts-<version-number>/sysconfig.txt(replace <version-number> with the version of the
initscriptspackage installed) for configuration parameters if using manual key encryption with IPsec.
racoonIKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If
racoonis used to automatically manage key encryption, the following options are required:
IKE_METHOD=<encryption-method>, where <encryption-method> is either
PSKis specified, the
IKE_PSKparameter must also be set. If
X509is specified, the
IKE_CERTFILEparameter must also be set.
IKE_PSK=<shared-key>, where <shared-key> is the shared, secret value for the PSK (preshared keys) method.
IKE_CERTFILE=<cert-file>, where <cert-file> is a valid X.509 certificate file for the host.
IKE_PEER_CERTFILE=<cert-file>, where <cert-file> is a valid X.509 certificate file for the remote host.
IKE_DNSSEC=<answer>, where <answer> is
racoondaemon retrieves the remote host's X.509 certificate via DNS. If a
IKE_PEER_CERTFILEis specified, do not include this parameter.
For more information about the encryption algorithms available for IPsec, refer to the
setkeyman page. For more information about
racoon, refer to the