48.7.7. IPsec Network-to-Network Configuration
Figure 48.11. A network-to-network IPsec tunneled connection
- The externally-accessible IP addresses of the dedicated IPsec routers
- The network address ranges of the LAN/WAN served by the IPsec routers (such as 192.168.1.0/24 or 10.0.1.0/24)
- The IP addresses of the gateway devices that route the data from the network nodes to the Internet
- A unique name, for example,
ipsec1. This is used to identify the IPsec connection and to distinguish it from other devices or connections.
- A fixed encryption key or one automatically generated by
- A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session.
188.8.131.52. Network-to-Network (VPN) Connection
Figure 48.12. Network-to-Network IPsec
- In a command shell, type
system-config-networkto start the Network Administration Tool.
- On the IPsec tab, click to start the IPsec configuration wizard.
- Clickto start configuring a network-to-network IPsec connection.
- Enter a unique nickname for the connection, for example,
ipsec0. If required, select the check box to automatically activate the connection when the computer starts. Click to continue.
- Select Network to Network encryption (VPN) as the connection type, and then click .
- Select the type of encryption to use: manual or automatic.If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the
racoondaemon manages the encryption key. The
ipsec-toolspackage must be installed if you want to use automatic encryption.Clickto continue.
- On the Local Network page, enter the following information:
- Local Network Address — The IP address of the device on the IPsec router connected to the private network.
- Local Subnet Mask — The subnet mask of the local network IP address.
- Local Network Gateway — The gateway for the private subnet.
Figure 48.13. Local Network Information
- On the Remote Network page, enter the following information:
- Remote IP Address — The publicly addressable IP address of the IPsec router for the other private network. In our example, for ipsec0, enter the publicly addressable IP address of ipsec1, and vice versa.
- Remote Network Address — The network address of the private subnet behind the other IPsec router. In our example, enter
192.168.1.0if configuring ipsec1, and enter
192.168.2.0if configuring ipsec0.
- Remote Subnet Mask — The subnet mask of the remote IP address.
- Remote Network Gateway — The IP address of the gateway for the remote network address.
- If manual encryption was selected in step 6, specify the encryption key to use or click to create one.Specify an authentication key or clickto generate one. This key can be any combination of numbers and letters.
Figure 48.14. Remote Network Information
- Verify the information on the IPsec — Summary page, and then click .
- Select> to save the configuration.
- Select the IPsec connection from the list, and then clickto activate the connection.
- Enable IP forwarding:
- Use the following command to enable the change:
sysctl -p /etc/sysctl.conf