View Single Post
  #9   (View Single Post)  
Old 3rd October 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,421

Originally Posted by Amithapr View Post remote OpenVPN box is beyond my control...
OpenVPN? I'll assume that's a typo, as all previous discussion has been about IPSec.

You must make contact with the person or persons who control your remote gateway. Your replacement of the local gateway would need to be coordinated with the remote facility. In addition, the remote gateway is also running an unsupported OS, and is likely running the same unsupportable Frankensystem as your local gateway.

Ideally, both gateways should have their OSes replaced, and it would be best to coordinate the activity so they are replaced at the same time. If this were my environment, I would replace both gateways at the same time, coordinating with a remote systems administrator, or arranging for a remote console.
There are risks to replacing only one gateway and leaving the other unchanged. There is no guarantee that a modern, supported release will work with a remote "something unknown but similar to 5.3" gateway, as there have been changes to IPSec over time.

To my understanding, this is a simple gateway-to-gateway network architecture, such as:

[lan a] - [gateway a] - [Internet] - [gateway b] - [lan b]

If that is actually true, I would abandon whatever complex isakmpd.policy(5) structure was deployed by your predecessor and replace it with a simple ipsec.conf(5) configuration. There is a reason that Symantec wrote Zero to IPSec in 4 minutes. It is easy, simple, and quick.

I don't know if your environment is that simple, because you have not posted any configuration information. But if the network topology is that simple, and you decide to proceed with replacing the IPSec configuration, keep in mind the article is ten years old. Use up-to-date man pages, do not copy/paste.

If the environment is sufficiently complex to be unable to use ipsec.conf(5) and ipsecctl(8), you will need to migrate all of the existing isakmpd(8) configuration files such as isakmpd.conf(5), isakmpd.policy(5), keynote(5) files, and you will need to migrate keys.

Last edited by jggimi; 3rd October 2016 at 05:54 PM. Reason: typos
Reply With Quote