[Openswan Users] central-site with distinct bundles

lesly dorval ladorval at yahoo.com
Tue Mar 18 10:53:01 EDT 2008 

central-site with distinct bundles of subnets...
To: users at openswan.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <690235.62452.qm at web54102.mail.re2.yahoo.com>

In response to:
Well it would help if you showed us your actual
ipsec.conf.

Here is my config.  It works partially for me. 
Ideally, I would like to connect to multiple networks.
 But right now, I can only connect to one network at a
time.

whack initiating two tunnels at a time to the same
gateway does not work.

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost)
none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # plutodebug=all
        nat_traversal=yes

conn Net172
    also=Net-172 # Define that we want to connect to
172.16.0.0/16. /24 granularity desired.
    left=10.254.0.73
    leftid=10.254.0.73
    leftsubnet=10.254.0.73/32
    leftnexthop=XX.XX.XX.XX
    leftxauthclient=yes
    #
    also=CK-policy
    auto=add

conn Net192
    also=Net-192 # Define that we want to connect to
192.168.32.0/24
    left=10.254.0.73
    leftid=10.254.0.73
    leftsubnet=10.254.0.73/32
    leftnexthop=XX.XX.XX.XX
    leftxauthclient=yes
    #
    also=Net-policy
    auto=add


conn Net-policy
    #  Phase I
    authby=secret
    auth=esp
    ike=3des-sha1-modp1536
    #ikelifetime=28800
    #  Phase II
    type=tunnel
    esp=3des-sha1
    pfs=no
    aggrmode=yes
    #xauth=yes
    #
    keyingtries=5
    dpddelay=30
    dpdtimeout=60
    dpdaction=clear

   
conn Net-192 # Define that we want to connect to
192.168.32.0/24
    #  All Right
    right=XX.XX.XX.XX
    rightid=@XX.XX.XX.XX
    rightsubnet=192.168.32.0/24
    rightxauthserver=yes

conn Net-172 # Define that we want to connect to
172.16.0.0/16
    #  All Right
    right=XX.XX.XX.XX
    rightid=@XX.XX.XX
    rightsubnet=172.16.0.0/16
    rightxauthserver=yes

======================
In response to:
Well it would help if you showed us your actual
ipsec.conf.
(you can mask the public ip's if you like, ie
left=66.11.x.x)

Essentially you need a site definition for each
subnet, for
example using my previous example...

conn remote-site-1-net-1
        also=central-site-net-1 # you'll need a
remote-site conn for each remote site.
        right=%any
        rightid=@site1 # set this to uniquely identify
site, must match in linksys.
        rightsubnet=192.168.0.0/16 # your remote lan.
        also=linksys-policy
        auto=add # the remote end will start

conn remote-site-1-net-2
        also=central-site-net-2 # you'll need a
remote-site conn for each remote site.
        right=%any
        rightid=@site1 # set this to uniquely identify
site, must match in linksys.
        rightsubnet=192.168.0.0/16 # your remote lan.
        also=linksys-policy
        auto=add # the remote end will start
 
conn central-site-net-1
        left=1.2.3.4 # your openswan.linux public
internet ip.
        # leftnexthop=%defaultroute
        # leftid=@1.2.3.4       # defaults to left ip,
must match in linksys.
        leftsubnet=10.0.0.0/8 # your internal lan at
central site.
        leftsourceip=10.0.0.1 # your openswan.linux
private lan ip.
 
conn central-site-net-2
        left=1.2.3.4 # your openswan.linux public
internet ip.
        # leftnexthop=%defaultroute
        # leftid=@1.2.3.4       # defaults to left ip,
must match in linksys.
        leftsubnet=172.16.0.0/12 # your internal lan
at central site.

You'll also need multiple subnet definitions in your
SNWL switch also.
Both sides need equivalent subnet(s), etc...
Essentially each subnet is it's own tunnel, as shown
in openswan,
although some other vendor switches hide this from you
and instead allow
you to specify multiple subnets to what appears to be
one connection.


Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of
lesly dorval
> Sent: March 12, 2008 11:41 AM
> To: users at openswan.org
> Subject: [Openswan Users] central-site with distinct
bundles 
> of subnets...
> 
> I have an ipsec.conf modeled after Peter McGill's
> example shown below.  And it works as advertised,
> connecting to a SNWL 5060.
> However, my central site has multiple subnets 10.0
and
> 172.16  that I want to access remotely.  I would
like
> to create network bundles that 
> my users can access: ie bundle1 would contain
> 10.10.0.0/16 and 172.16.0.0/16 whereas bundle2 would
> contain 10.15.0.0/16 and 192.168.1.0/24.
>  
> If I try to create central-site-bundle1 and
> central-site-bundle2 and insert those definition
under
> conn remote-site-1 with also, i get 
>  ipsec_auto: fatal error in "GVPN172":
> (/etc/ipsec.conf, line 67) duplicated parameter
> "right".
> 
> If I try to alternatively initiate conn1 and than
> conn2, conn2 never completes STATE_QUICKII
complaining
> of phaseII protocol mismatch. 
> This error is due to the fact that the conn1
> connection is active.  If i disconnect conn1, conn2
> initiates and connects without a hitch.
> 
> Any help is welcome.
> 
> config setup
>         interfaces=%defaultroute
>         uniqueids=yes
>  
> include /etc/ipsec.d/examples/no_oe.conf
>  
> conn remote-site-1
>         also=central-site # you'll need a
remote-site
> conn for each remote site.
>         right=%any
>         rightid=@site1 # set this to uniquely
identify
> site, must match in linksys.
>         rightsubnet=192.168.0.0/16 # your remote
lan.
>         also=linksys-policy
>         auto=add # the remote end will start
>  
> conn central-site
>         left=1.2.3.4 # your openswan.linux public
> internet ip.
>         # leftnexthop=%defaultroute
>         # leftid=@1.2.3.4       # defaults to left
ip,
> must match in linksys.
>         leftsubnet=10.0.0.0/8 # your internal lan at
> central site.
>         leftsourceip=10.0.0.1 # your openswan.linux
> private lan ip.
> 
> conn linksys-policy
>         # keyexchange=ike    # I've shown the
openswan
> defaults here in comments
>         # aggrmode=no          # So you know what to
> set on linksys to match, however
>         # auth=esp                # You may leave
> these lines out of your ipsec.conf
>         ike=3des-md5-modp1024 # or aes-sha1-modp1024
>         esp=3des-md5                # or aes-sha1
>         # pfs=yes                  # perfect forward
> secrecy
>         compress=no
>         # ikelifetime=1.0h
>         # keylife=8.0h
>         # rekey=yes
>         # keyingtries=%forever
>         # dpddelay=30        #
d(ead)p(eer)d(etection)
> is off by default, set all three
>         # dpdtimeout=120   # options to enable it,
may
> or may not help with lost
>         # dpdaction=clear   # connections, internet
> outages, etc...
>         authby=secret        # note, linksys may
only
> allow preshared (text) keys,
>                                      # in which case
> you'll need to use the same key for
>                                      # all dynamic
ip
> sites and your ipsec.secrets file will
>                                      # look like
> below. If it allows other options such as
>                                      # RSA keys or
> X.509 certs than you may have
>                                      # different
keys
> for different sites.


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the Users mailing list