48.7.6. IPsec Host-to-Host Configuration
18.104.22.168. Host-to-Host Connection
- In a command shell, type
system-config-networkto start the Network Administration Tool.
- On the IPsec tab, click to start the IPsec configuration wizard.
- Clickto start configuring a host-to-host IPsec connection.
- Enter a unique name for the connection, for example,
ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click to continue.
- Select Host to Host encryption as the connection type, and then click .
- Select the type of encryption to use: manual or automatic.If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the
racoondaemon manages the encryption key. The
ipsec-toolspackage must be installed if you want to use automatic encryption.Clickto continue.
- Enter the IP address of the remote host.To determine the IP address of the remote host, use the following command on the remote host:
ifconfig <device>where <device> is the Ethernet device that you want to use for the VPN connection.If only one Ethernet card exists in the system, the device name is typically eth0. The following example shows the relevant information from this command (note that this is an example output only):
eth0 Link encap:Ethernet HWaddr 00:0C:6E:E8:98:1D inet addr:172.16.44.192 Bcast:172.16.45.255 Mask:255.255.254.0The IP address is the number following the
NoteFor host-to-host connections, both hosts should have a public, routable address. Alternatively, both hosts can have a private, non-routable address (for example, from the 10.x.x.x or 192.168.x.x ranges) as long as they are on the sam LAN.If the hosts are on different LANs, or one has a public address while the other has a private address, refer to Section 48.7.7, “IPsec Network-to-Network Configuration”.Clickto continue.
- If manual encryption was selected in step 6, specify the encryption key to use, or click to create one.
- Specify an authentication key or clickto generate one. It can be any combination of numbers and letters.
- Clickto continue.
- Verify the information on the IPsec — Summary page, and then click .
- Click> to save the configuration.You may need to restart the network for the changes to take effect. To restart the network, use the following command:
service network restart
- Select the IPsec connection from the list and click thebutton.
- Repeat the entire procedure for the other host. It is essential that the same keys from step 8 be used on the other hosts. Otherwise, IPsec will not work.
Figure 48.10. IPsec Connection
/etc/racoon/racoon.confis also created.
/etc/racoon/racoon.confis modified to include