IPSec Multiple VPN Setups
Hi I hope someone can answer something I’m sure is quite basic.
I am following the instructions at https://www.CentOS.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html On setting up a VPN
The part I am having trouble with is when it show the
/etc/racoon/racoon.conf file. But it doesn’t say whay you have to do with this file.
When I bring up my connection
ifup bicester
I get RTNETLINK answers: No such device
looking at /var/messages I see
ERROR: failed to bind to address 127.0.0.1[500] (Address already in use). Mar 21 17:01:05 racoon: ERROR: failed to bind to address *.*.*.*[500]
(Address already in use). Mar 21 17:01:05 racoon: ERROR: failed to bind to address *.*.*.*[500]
(Address already in use). Mar 21 17:01:05 racoon: ERROR: failed to bind to address *.*.*.*[500]
(Address already in use). Mar 21 17:01:05 racoon: ERROR: failed to bind to address ::1[500]
(Address already in use). Mar 21 17:01:05 racoon: INFO: fe80::bcef:4fff:fe66:82ec%eth0[500]
used as isakmp port (fd%)
There was an existing setup done long ago.
How can I setup more than one vpn connection (manually as this is a headless server)
or is that not possible ?
Thanks for any pointers
22 thoughts on - IPSec Multiple VPN Setups
Yes you can. Please use newer version of CentOS and strong/openswan.
Eero kirjoitti:
21.3.2016 7.05 ip. “Glenn Pierce”
I second Eero’s comment, use a new IPSec daemon.
Openswan was forked and became Libreswan. Paul, now a RH employee, was a main developer for the Openswan project before he and others created the Libreswan fork. https://libreswan.org/
EL6 has Openswan EL7 has Libreswan
Racoon isn’t all that fun to work with. If you have the option, ditch it and EL5 and move to a newer platform
(preferably EL7 with Libreswan).
And CentOS 5 is really soon end of life.
Eero kirjoitti:
21.3.2016 7.18 ip. “Mike – st257”
There’s an RPM spec file (though I’ve not used it) for building Openswan for EL5. https://github.com/xelerance/Openswan/tree/master/packaging/CentOS5
Additionally, here’s some info but I advise against the Racoon IPSec daemon. https://www.CentOS.org/docs/5/html/5.2/Deployment_Guide/sec-racoon-conf.html https://wiki.debian.org/IPsec
CentOS 5 is still soon end of life. Using it as ipsec gateway is ..
Eero kirjoitti:
21.3.2016 7.25 ip. “Mike – st257”
Will ask my boss :) We are hosted on memset so not so easy to update
Thanks
Err. Sounds like security nightmare. kirjoitti:
21.3.2016 7.47 ip. “Glenn Pierce”
Glenn Pierce wrote:
Um, wait a minute: you’re hosted? And they haven’t pushed you to 6 years ago? They haven’t sent warnings that 5 was hitting eol?
Who are they, please? I want to make sure that if someone asks me about hosting, I can add that to places they should avoid.
mark
Memset.com ? In real world, rhel 5/CentOS 5 gets only critical security patches.
Eero kirjoitti:
21.3.2016 7.54 ip.
To be fair its not highly sensitive info we are dealing with.
—–Original Message—–
From: “Eero Volotinen”
Sent: 21/03/2016 17:51
To: “CentOS mailing list”
Subject: Re: [CentOS] IPSec multiple VPN setups
Err. Sounds like security nightmare. kirjoitti:
21.3.2016 7.47 ip. “Glenn Pierce”
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Glenn Pierce wrote:
check light has been on for months, and just put gas in, and not worry about adding more oil, or going to a mechanic?
mark
I asked about upgrading once and got no reply. Does anyone have experience of having a hosted CentOS upgraded on a virtual server. Would you usually have to pay for a transition instance ?
—–Original Message—–
From: “Eero Volotinen”
Sent: 21/03/2016 18:11
To: “CentOS mailing list”
Subject: Re: [CentOS] IPSec multiple VPN setups
Memset.com ? In real world, rhel 5/CentOS 5 gets only critical security patches.
Eero kirjoitti:
21.3.2016 7.54 ip.
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Glenn Pierce wrote:
upgrades, and they announced it to *me*, and no, I didn’t pay anything. And I’m just a “consumer grade” – something like $6US/month.
I would expect *far* more for commercial hosting.
mark
err. upgrades?
You mean reinstall? As upgrading between major releases are not supported in any way on CentOS / rhel and clones..
—
Eero
2016-03-21 20:33 GMT+02:00:
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Yes reinstall. I get you have to purchase a new instance for a time to move over.
—–Original Message—–
From: “Eero Volotinen”
Sent: 21/03/2016 18:38
To: “CentOS mailing list”
Subject: Re: [CentOS] IPSec multiple VPN setups
err. upgrades?
You mean reinstall? As upgrading between major releases are not supported in any way on CentOS / rhel and clones..
—
Eero
2016-03-21 20:33 GMT+02:00:
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Eero Volotinen wrote:
telling me they were moving me to an upgraded system; my website runs perl CGI, and that’s about it, the rest is *all* straight HTML, so I doubt I
would have noticed much.
mark
Glenn Pierce wrote:
I’d figure that they just move you to an instance that’s already running a newer version of the o/s, giving you time to test for breakage. I really don’t see them charging, except, possibly, for running in parallel during testing.
mark
I’m Sur my boss will agree. Looks like I have a multi terra byte postgres move to look forward to. Thanks evryone
—–Original Message—–
From: “m.roth@5-cent.us”
Sent: 21/03/2016 20:03
To: “CentOS mailing list”
Subject: Re: [CentOS] IPSec multiple VPN setups
Glenn Pierce wrote:
I’d figure that they just move you to an instance that’s already running a newer version of the o/s, giving you time to test for breakage. I really don’t see them charging, except, possibly, for running in parallel during testing.
mark
I have several CentOS VPSs in several countries around the world. Naturally I don’t have FTP preferring to use SSH, SCP, non-standard ports and restricted to specific incoming individual IPs.
All run C 6.7 except one on C 5.11, which I am about to upgrade (its difficult because so much is on that machine and I don’t want any downtime).
Dump your out-of-date C5. C6 is not very different. Everything I run on C5 also runs smoothly on C6.
Well, RHEL actually supports upgrading from 6 to 7 in some use cases. If you have access, https://access.redhat.com/solutions/21964. Not sure how that fits for CentOS though..
Em 21-03-2016 15:38, Eero Volotinen escreveu:
Am 21.03.2016 um 18:17 schrieb Mike – st257:
Libreswan will be in the next EL6 release …
Anyway, they both use compatible config files?
Eero kirjoitti:
22.3.2016 12.23 ap. “Leon Fauster”