[Openswan dev] [PATCH] Updates to the ipsec.conf man page for leftsendcert

Tuomo Soini tis at foobar.fi
Fri Jun 11 00:27:11 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nate Carlson wrote:

| I'm finally getting a chance to test this so I can document it, and am
not
| getting it to work. Here's my configuration right now; all IP's are
| actually public.
|
| Oxygen: Firewall for one of my public networks, running OS 2.1.2cvs
(2004/05/13)
| Knight: My laptop, running same version of Openswan
|
| oxygen config:
| conn oxygen-test-net
|         leftsubnet=10.10.10.0/27
|         leftsourceip=10.10.10.25
Should be:

	leftsourceip=10.10.10.252
|         rightcert=knight.crt
|         also=oxygen
|
| conn oxygen
|         keyingtries=1
|         authby=rsasig
|         leftrsasigkey=%cert
|         rightrsasigkey=%cert
|         left=%defaultroute
|         leftcert=oxygen.crt
|         right=%any
|         rightsubnet=vhost:%no,%priv
|         auto=add
|
| knight config:
| conn oxygen-net-test
|         leftsubnet=10.10.10.0/27
|         # Tried with and without this
| 	#leftsourceip=10.10.10.25
	rightsourceip=10.10.10.25
	rightsubnet=10.10.10.25/32
|         also=oxygen
|
| conn oxygen
|         left=oxygen
|         leftcert=oxygen.crt
|         right=%defaultroute
|         rightcert=knight.crt
|         rightsendcert=always
|         auto=add

That's really documented in README.AdvancedRouting which comes with
openswan-1 advanced routing patch.

|
| I do also have proxy arp enabled, and I am able to ping the .25 address
| from other hosts on the internal network. However, if I try to connect to
| the .25 address, the connections are handled locally by oxygen instead of
| being forwarded onto knight.

But of course. You have assigned that ip to Oxygen, not knight.

| When making a connection from Knight to
| another box behind Oxygen (on the 10.10.10.0/27 network), the connection
| is from Knight's real IP, not the virtual IP.

Yep. because you didn't activate sourceip on knight.

| Any ideas, or should I just keep playing with it?

Fix config and try again :-)

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAyMQfTlrZKzwul1ERAlV6AJ94NWya3KPqTLhfQ6lS+XKaU7/N/ACgrgwp
oeN7ayujgHdeO1XVKRhcJB8=
=av5G
-----END PGP SIGNATURE-----

More information about the Dev mailing list