[Openswan dev] [PATCH] Updates to the ipsec.conf man page for leftsendcert

Tuomo Soini tis at foobar.fi
Fri Jun 11 00:27:11 CEST 2004

Hash: SHA1

Nate Carlson wrote:

| I'm finally getting a chance to test this so I can document it, and am
| getting it to work. Here's my configuration right now; all IP's are
| actually public.
| Oxygen: Firewall for one of my public networks, running OS 2.1.2cvs
| Knight: My laptop, running same version of Openswan
| oxygen config:
| conn oxygen-test-net
|         leftsubnet=
|         leftsourceip=
Should be:

|         rightcert=knight.crt
|         also=oxygen
| conn oxygen
|         keyingtries=1
|         authby=rsasig
|         leftrsasigkey=%cert
|         rightrsasigkey=%cert
|         left=%defaultroute
|         leftcert=oxygen.crt
|         right=%any
|         rightsubnet=vhost:%no,%priv
|         auto=add
| knight config:
| conn oxygen-net-test
|         leftsubnet=
|         # Tried with and without this
| 	#leftsourceip=
|         also=oxygen
| conn oxygen
|         left=oxygen
|         leftcert=oxygen.crt
|         right=%defaultroute
|         rightcert=knight.crt
|         rightsendcert=always
|         auto=add

That's really documented in README.AdvancedRouting which comes with
openswan-1 advanced routing patch.

| I do also have proxy arp enabled, and I am able to ping the .25 address
| from other hosts on the internal network. However, if I try to connect to
| the .25 address, the connections are handled locally by oxygen instead of
| being forwarded onto knight.

But of course. You have assigned that ip to Oxygen, not knight.

| When making a connection from Knight to
| another box behind Oxygen (on the network), the connection
| is from Knight's real IP, not the virtual IP.

Yep. because you didn't activate sourceip on knight.

| Any ideas, or should I just keep playing with it?

Fix config and try again :-)

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Dev mailing list