[Openswan Users] openswan Side to Side config

E0x samudhio at gmail.com
Tue Jun 12 07:48:40 EDT 2007 

i just want confirm the config i do following your advice

ipsec --version output :

Linux Openswan U2.1.5/K2.6.9-42.0.3.EL (native) (native)
See `ipsec --copyright' for copyright information.

ipsec.conf :

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
        # plutodebug=dns
        interfaces="ipsec0=eth0"
conn tunnelipsec
        type=           tunnel
        authby=         secret
        #RRT
        left=           myip
        leftsubnet=     66.232.119.0/24
        leftnexthop=    %defaultroute
        #SAA
        right=          other_Company_ip
        rightsubnet=    the_same_other_company_Ip
        rightnexthop=   %defaultroute
        esp=            3des-md5-modp1024
        aggrmode=       no
        keyexchange=    ike
        ikelifetime=    24.0m
        keylife=        1.0h
        pfs=            no
        auto=           start

=============end==============================


i need confirm the parte of rightsubnet , i asking if i need acces of they
subnet or they just need a vpn encrypt with that server

the i dont know where put the option of keylife and the other, so i assume
is in the right side ( #SSA ) is this OK ?

Thanks

pd: sorry for my bad english


On 6/11/07, Peter McGill <petermcgill at goco.net> wrote:
>
> > -----Original Message-----
> > Date: Sat, 9 Jun 2007 12:29:41 -0400
> > From: E0x <samudhio at gmail.com>
> > Subject: [Openswan Users] openswan Side to Side config
> > To: users at openswan.org
> >
> > Hello all i am new using openswan and  i have this situation:
> >
> > openswan.i386                            2.1.5-1fc2
> >
> > OS:                                           Centos 4.5
> >
> > kernel:                                       2.6.9-42.0.3.EL
> >
> > i have to do a side to side config with another company but i
> > dont sure what
> > are they using i guess is a something like a pix
> > cisco because the info that they give for the encryptation
> > method that i can
> > choose
> >
> > i choose this method:
> > Phase 1 IKE Properties:
> >
> > Key Exchange: 3DES
> > Data Integrity : MD5
> > Renegotiate IKE SA: 1440 seconds
> > DH-Group : Group  2 ( 1024 )
> > Use Agressive Mode: Disable
> >
> > Phase 2 IPsec Properties:
> >
> > Data Encryption : 3DES
> > Data Integrity : MD5
> > Perfect Forward Secrecy: Disabled
> > Renegotiate :  IPSEC SA`s Every : 3600 Seconds
> > Support Site to Site Compression : Disabled
> >
> > other settings : pre-share secrets must be at least 10 alpha/numeric
> > characters long. also, they can only be exchanged in a secure manner
> >
> > ====End====
> >
> >
> > now in my site i have only one interface ( eth0 ) with 6
> > public ip ( alias
> > interface) ( eth0:1 . eth0:2...etc )
> > and i config openswan like this :
> > config setup
> >         # Debug-logging controls:  "none" for (almost) none,
> > "all" for lots.
> >         # klipsdebug=all
> >         # plutodebug=dns
> >
> > conn tunnelipsec
> >         type=           tunnel
> >         authby=         secret
> >         #RRT
> >         left=           one_of_My_Public_IP
> >         leftsubnet=     network-public_ip/24 <http://66.232.119.0/24>
> >         leftnexthop=    %defaultroute
> >         #SAA
> >         right=          the_another_company_ip
> >         rightsubnet=    where_i_put_the_Same_IP_that_Above
> >         rightnexthop=   %defaultroute
> >         esp=            3des-md5
> >         keyexchange=    ike
> >         pfs=            no
> >         auto=           start
>
> I would say your on the right track with this.
> You should set these to match the timeouts given:
> ikelifetime=24.0m
> keylife=1.0h
> You could also add these to the conn:
> ike=3des-md5-modp1024
> aggrmode=no
> If you have rightsubnet = right, then you can only communicate with the
> Foreign router, and not the network beyond it, you'll probably need to
> Put their subnet info in rightsubnet.
> If you have six public ip's, then you should probably have a leftsubnet of
> /29.
> Ie) If 66.232.119.1 - 6, then 66.232.119.0/29,
> or 66.232.119.33 - 38 then 66.232.119.32/29, etc...
> You may need an intefaces line for ip alias used for ipsec, if using
> klips.
> Netkey should ingnore the setting so it should be safe to set either way.
> ipsec --version will tell you which your using.
> config setup
>         interfaces="ipsec0=eth0:1"
>
> You secrets file should look like this:
> <left pub ip> <right pub ip> : PSK "<secret>"
>
> Lastly don't forget to setup firewall (iptables) rules to allow both the
> ipsec and tunneled traffic.
>
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> >
> > =======end=======
> >
> > now they will give me a key when i am ready for the test i
> > guest the key is
> > config in /etc/ipsec.secrets
> >
> > so my question is : i know openswan is for connect to private
> > network trough
> > internet but how i can do that if in my case i dont have a
> > private network ?
> > what i need put in the leftsubnet: option ? i need asking for
> > the subnet of
> > another company too for set in some ipsec interface that will
> > create with i
> > connect ?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070612/cbbc6e99/attachment-0001.html

More information about the Users mailing list