<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>You had the esp line right, you just needed to add an
ike line,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>like so.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>
ike=3des-md5-modp1024</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007> esp=3des-md5</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>Your using Netkey (native), so the interfaces line will
be ignored,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>which is fine, or you can comment it out with # for
clarity.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>ikelifetime and keylife are fine. Order of entries in a
conn section is irrelevent.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>I personnally usually group them into left side
(left*=) and right side (right*=),</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>and shared settings, (anything not prefixed with left
or right.), but whatever works</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>for you is fine, openswan doesn't care about the order
inside a conn.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>At this point I recommend you change the ike and esp
lines then go ahead and test.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>If you have any problems with the connection, then send
us another message.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>Include the connection logs for troubleshooting with
that message.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>egrep -e 'Jun 12 .*pluto'
/var/log/*</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>(Change Date appropriately.)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=465271512-12062007>Do not turn the debug options on in the conf, there is
enouph info without them.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> E0x [mailto:samudhio@gmail.com]
<BR><B>Sent:</B> June 12, 2007 7:49 AM<BR><B>To:</B>
petermcgill@goco.net<BR><B>Cc:</B> users@openswan.org<BR><B>Subject:</B> Re:
[Openswan Users] openswan Side to Side config<BR></FONT><BR></DIV>
<DIV></DIV>i just want confirm the config i do following your
advice<BR><BR>ipsec --version output :<BR><BR>Linux Openswan
U2.1.5/K2.6.9-42.0.3.EL (native) (native)<BR>See `ipsec --copyright' for
copyright information.<BR><BR>ipsec.conf :<BR><BR>config
setup<BR> # Debug-logging
controls: "none" for (almost) none, "all" for
lots.<BR> #
klipsdebug=all<BR> #
plutodebug=dns<BR>
interfaces="ipsec0=eth0" <BR>conn
tunnelipsec<BR>
type=
tunnel<BR>
authby=
secret<BR>
#RRT<BR>
left=
myip<BR>
leftsubnet= <A
href="http://66.232.119.0/24">66.232.119.0/24</A><BR>
leftnexthop= %defaultroute
<BR>
#SAA<BR>
right=
other_Company_ip<BR>
rightsubnet=
the_same_other_company_Ip<BR>
rightnexthop=
%defaultroute<BR>
esp=
3des-md5-modp1024<BR>
aggrmode= no
<BR> keyexchange=
ike<BR>
ikelifetime=
24.0m<BR>
keylife=
1.0h<BR>
pfs=
no<BR>
auto=
start<BR><BR>=============end==============================<BR><BR><BR>i need
confirm the parte of rightsubnet , i asking if i need acces of they subnet or
they just need a vpn encrypt with that server <BR><BR>the i dont know where
put the option of keylife and the other, so i assume is in the right side (
#SSA ) is this OK ? <BR><BR>Thanks<BR><BR>pd: sorry for my bad english <BR>
<DIV><SPAN class=gmail_quote><FONT face=Arial color=#0000ff
size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><BR><BR>On 6/11/07,
<B class=gmail_sendername>Peter McGill</B> <<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote: </SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">>
-----Original Message-----<BR>> Date: Sat, 9 Jun 2007 12:29:41
-0400<BR>> From: E0x < <A
href="mailto:samudhio@gmail.com">samudhio@gmail.com</A>><BR>> Subject:
[Openswan Users] openswan Side to Side config<BR>> To: <A
href="mailto:users@openswan.org">users@openswan.org</A><BR>><BR>>
Hello all i am new using openswan and i have this situation:
<BR>><BR>>
openswan.i386 2.1.5-1fc2<BR>><BR>>
OS:
Centos 4.5<BR>><BR>>
kernel:
2.6.9-42.0.3.EL<BR>><BR>> i have to do a side to side config with
another company but i<BR>> dont sure what<BR>> are they using i guess
is a something like a pix<BR>> cisco because the info that they give for
the encryptation <BR>> method that i can<BR>> choose<BR>><BR>> i
choose this method:<BR>> Phase 1 IKE Properties:<BR>><BR>> Key
Exchange: 3DES<BR>> Data Integrity : MD5<BR>> Renegotiate IKE SA: 1440
seconds<BR>> DH-Group : Group 2 ( 1024 ) <BR>> Use
Agressive Mode: Disable<BR>><BR>> Phase 2 IPsec
Properties:<BR>><BR>> Data Encryption : 3DES<BR>> Data Integrity :
MD5<BR>> Perfect Forward Secrecy: Disabled<BR>> Renegotiate
: IPSEC SA`s Every : 3600 Seconds <BR>> Support Site to Site
Compression : Disabled<BR>><BR>> other settings : pre-share secrets
must be at least 10 alpha/numeric<BR>> characters long. also, they can
only be exchanged in a secure manner<BR>> <BR>>
====End====<BR>><BR>><BR>> now in my site i have only one interface
( eth0 ) with 6<BR>> public ip ( alias<BR>> interface) ( eth0:1 .
eth0:2...etc )<BR>> and i config openswan like this :<BR>> config
setup <BR>> #
Debug-logging controls: "none" for (almost) none,<BR>> "all"
for lots.<BR>> #
klipsdebug=all<BR>> #
plutodebug=dns<BR>><BR>> conn
tunnelipsec<BR>>
type= tunnel
<BR>>
authby=
secret<BR>>
#RRT<BR>>
left=
one_of_My_Public_IP<BR>>
leftsubnet= network-public_ip/24 <<A
href="http://66.232.119.0/24">http://66.232.119.0/24
</A>><BR>>
leftnexthop= %defaultroute<BR>>
#SAA<BR>>
right= the_another_company_ip<BR>>
rightsubnet= where_i_put_the_Same_IP_that_Above<BR>>
rightnexthop= %defaultroute
<BR>>
esp= 3des-md5<BR>>
keyexchange= ike<BR>>
pfs= no<BR>>
auto=
start<BR><BR>I would say your on the right track with this.<BR>You should
set these to match the timeouts given:
<BR>ikelifetime=24.0m<BR>keylife=1.0h<BR>You could also add these to the
conn:<BR>ike=3des-md5-modp1024<BR>aggrmode=no<BR>If you have rightsubnet =
right, then you can only communicate with the<BR>Foreign router, and not the
network beyond it, you'll probably need to <BR>Put their subnet info in
rightsubnet.<BR>If you have six public ip's, then you should probably have a
leftsubnet of /29.<BR>Ie) If <A href="http://66.232.119.1">66.232.119.1</A>
- 6, then <A href="http://66.232.119.0/29">66.232.119.0/29</A>,<BR>or <A
href="http://66.232.119.33">66.232.119.33</A> - 38 then <A
href="http://66.232.119.32/29">66.232.119.32/29</A>, etc...<BR>You may need
an intefaces line for ip alias used for ipsec, if using klips. <BR>Netkey
should ingnore the setting so it should be safe to set either way.<BR>ipsec
--version will tell you which your using.<BR>config
setup<BR> interfaces="ipsec0=eth0:1"<BR><BR>You
secrets file should look like this: <BR><left pub ip> <right pub
ip> : PSK "<secret>"<BR><BR>Lastly don't forget to setup firewall
(iptables) rules to allow both the ipsec and tunneled traffic.<BR><BR>>
#Disable Opportunistic Encryption <BR>> include
/etc/ipsec.d/examples/no_oe.conf<BR>><BR>><BR>>
=======end=======<BR>><BR>> now they will give me a key when i am
ready for the test i<BR>> guest the key is<BR>> config in
/etc/ipsec.secrets <BR>><BR>> so my question is : i know openswan is
for connect to private<BR>> network trough<BR>> internet but how i can
do that if in my case i dont have a<BR>> private network ?<BR>> what i
need put in the leftsubnet: option ? i need asking for <BR>> the subnet
of<BR>> another company too for set in some ipsec interface that
will<BR>> create with i<BR>> connect
?<BR><BR></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>