Starting And Stopping An Ipsec Connection - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
}
Prior to starting the IPsec connection, IP forwarding should be enabled in the kernel. To enable IP
forwarding:
1. Edit /etc/sysctl.conf and set net.ipv4.ip_forward to 1.
2. Use the following command to enable the change:
[root@myServer ~] # sysctl -p /etc/sysctl.conf
To start the IPsec connection, use the following command on each router:
[root@myServer ~] # /sbin/ifup ipsec0
The connections are activated, and both LAN A and LAN B are able to communicate with each other.
The routes are created automatically via the initialization script called by running ifup on the IPsec
connection. To show a list of routes for the network, use the following command:
[root@myServer ~] # /sbin/ip route list
To test the IPsec connection, run the tcpdump utility on the externally-routable device (eth0 in this
example) to view the network packets being transfered between the hosts (or networks), and verify
that they are encrypted via IPsec. For example, to check the IPsec connectivity of LAN A, use the
following command:
[root@myServer ~] # tcpdump -n -i eth0 host lana.example.com
The packet should include an AH header and should be shown as ESP packets. ESP means it is
encrypted. For example (back slashes denote a continuation of one line):
12:24:26.155529 lanb.example.com > lana.example.com: AH(spi=0x021c9834,seq=0x358): \
lanb.example.com > lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \
(ipip-proto-4)

43.7.8. Starting and Stopping an IPsec Connection

If the IPsec connection was not configured to activate on boot, you can control it from the command
line.
To start the connection, use the following command on each host for host-to-host IPsec, or each IPsec
router for network-to-network IPsec:
[root@myServer ~] # /sbin/ifup <nickname>
where <nickname> is the nickname configured earlier, such as ipsec0.
To stop the connection, use the following command:
696