<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Thanks Daniel,<br><br>I did as you say (creating the virtual nic as Alonso suggest)<br>sudo ifconfig eth0:1 192.168.51.10/32 netmask 255.255.255.0<br><br>Then I add that ip at the leftsubnet in ipsec.conf, and reconfigure my cisco router to create a "gateway to gateway" instead of "client to gateway". When I restart ipsec, I can see the vpn shows as connected!!<br><br>But now I can't ping any way (neither from the internal network to the ubuntu client, nor the other way round). So do I have to add the routes in both sides now to get this working? In the past (with client to gateway), I can ping from the client to the internal network without any route.<br><br>By the way I think I'm near now :)<br><br>Kind regards!<br><br><div><hr id="stopSpelling">Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?<br>From: dan.cave@me.com<br>Date: Sat, 8 Jun 2013 17:27:21 +0100<br>CC: alonso.manilla@gmail.com; users@lists.openswan.org<br>To: soloninguno@hotmail.com<br><br>Jose, <div><br></div><div>I noticed your earlier mail shows your Ipsec.conf file does not have any private leftsubnet= or leftsource= directive, which I believe as Alonso implies you're missing,</div><div><br></div><div>IF you think simplistically, that the tunnel can be built from peer-peer using the two public IP's (which you have done so far)</div><div><br></div><div>then you need the private address range on each side to route between via the tunnel, which gives you your bi-directional traffic flow)</div><div><br></div><div>For example. You have the rightsubnet and right peer IP already in your linux-rv042 config, but nothing on the Left.</div><div><br></div><div><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;">conn %default</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> authby=secret</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> type=tunnel</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> left=78.222.51.10</span></div><div><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> leftsubnet=192.168.51.10/32 ( because you said you want to route from this HOST to your cisco network right ?) <<< you must configure the ip alias on eth0:1 using this IP (or one that you want to choose)<br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;">conn linux-rv042</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> auto=add</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> right=81.18.24.120</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> rightsubnet=192.168.1.101/32</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> authby=secret</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> ike=aes256-sha1;modp1536</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> esp=aes256-sha1;modp1536</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> pfs=yes</span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"><br></span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> aggrmode=no </span><span class="ecxApple-style-span" style="font-family:Calibri;font-size:16px;"> </span></div><div><br></div><div>IF you config the alias interface on your ubuntu host with a private IP (It can be a /32 one ) and make sure you setup the same on the Cisco AND in your ipsec.conf, then restart, you should be good to go.</div><div><br></div><div><br></div><div>Dan.</div><div><br></div><div><div><div>On 8 Jun 2013, at 16:47, Jose M wrote:</div><br class="ecxApple-interchange-newline"><blockquote><div class="ecxhmmessage" style="font-size:12pt;font-family:Calibri;"><div dir="ltr">Thanks Alonso!<br><br>Could you give me some hints how to create routes and iptables to get this working?<br><br><div><hr id="ecxstopSpelling">From:<span class="ecxApple-converted-space"> </span><a href="mailto:alonso.manilla@gmail.com">alonso.manilla@gmail.com</a><br>Date: Fri, 7 Jun 2013 17:07:34 -0500<br>Subject: Re: [Openswan Users] Gateway to gateway without router in one endpoint?<br>To:<span class="ecxApple-converted-space"> </span><a href="mailto:soloninguno@hotmail.com">soloninguno@hotmail.com</a><br>CC:<span class="ecxApple-converted-space"> </span><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br><br><div dir="ltr">It's possible to create virtual nics.<div><br></div><div>Use #: </div><div>ifconfig eth0:1 192.168.1.5 netmask 255.255.255.0</div><div><br></div><div>to make it permanent change the /etc/network/interfaces file.</div><div><br></div><div>then you need to create a route to send all packets from vpn to the new ip address, also need to check your iptables.</div><div><br></div><div>Good luck.</div><div><br></div><div class="ecxgmail_extra"><br clear="all"><div>--<div>Alonso Manilla</div></div><br><br><div class="ecxgmail_quote">2013/6/7 Jose M<span class="ecxApple-converted-space"> </span><span dir="ltr"><<a href="mailto:soloninguno@hotmail.com" target="_blank">soloninguno@hotmail.com</a>></span><br><blockquote class="ecxgmail_quote" style="border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><div dir="ltr">I need to create an ipsec vpn between an internal network behind a cisco router and an ubuntu server in the outside that is directly connected to the web (no router here).<br><br>Right now I've test openswan to create a client to gateway vpn an works as expected. Unforunately with this configuration I don't have two way traffic, the client sees the internal network, but the network can't see the client.<br><br>My knowledge of networks isn't the best, so I need to ask, is it possible to create some kind of virtual nics in ubuntu client server to simulate a gateway and an internal network (with only one machine) in this endpoint, so the machines in the internal network can see this client?<br><br>Thanks in advance!<br><br><br></div></div><br>_______________________________________________<br><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments:<span class="ecxApple-converted-space"> </span><a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br><br></blockquote></div><br></div></div></div></div>_______________________________________________<br><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments:<span class="ecxApple-converted-space"> </span><a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></div></blockquote></div><br><div>
<span class="ecxApple-style-span" style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;orphans:2;text-align:auto;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;font-size:medium;"><span class="ecxApple-style-span" style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;font-size:medium;"><span class="ecxApple-style-span" style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;font-size:medium;"><div style="word-wrap:break-word;"><div>Regards</div><div><br></div><div>Dan.</div></div></span></span></span>
</div>
<br></div></div> </div></body>
</html>