[Openswan Users] Fwd: Openswan VPN setup
David Clymer
dclyme at hrcsb.org
Fri Aug 20 12:55:48 CEST 2004
Another terse howto for clueless VPN folks like myself, in hopes that it
may prevent stress and superflous thought.
Note: in the firewall rules below, the AH rule can be dropped. My
understanding is that AH cannot be NATed without breaking the packet
checksum.
-davidc
----- Forwarded message from David Clymer <david at hrcsb.org> -----
> To: xxxxxxxx
> From: David Clymer <david at hrcsb.org>
> Subject: Openswan VPN setup
>
> Task:
>
> Setting up a VPN between a host with a private address located
> behind a firewall (doing NAT) and a publicly available remote host.
>
> General setup is as follows:
>
> Both endpoints are running debian sarge, the native linux IPsec
> implementation (i.e. not KLIPS), & openswan 2.1.3
>
> #----------------------#
> # network diagram #
> #----------------------#
>
> (jekyl) (grendal) (zepto)
> localsubnet local ipsec gw firewall remote ipsec gw remote subnet
> 10.0.1.0/24|---[192.168.0.1]====[11.22.33.44]==========[44.33.22.11]---|10.0.2.0/24
> |---------------------------|
> ipsec tunnel
>
> #----------------------#
> # Openswan config #
> #----------------------#
>
> /etc/ipsec.d/private contains: zeptoKey.pem (on zepto), jekylKey.pem (on jekyl)
>
> /etc/ipsec.d/certs contains: zeptoCert.pem, jekylCert.pem
>
> /etc/ipsec.d/cacert contains: CAcert.pem (cert for CA which signed both jekylCert & zeptoCert)
>
> /etc/ipsec.secrets contains:
>
> (on jekyl)
>
> : RSA /etc/ipsec.d/private/jekylKey.pem
>
> (on zepto)
>
> : RSA /etc/ipsec.d/private/zeptoKey.pem
>
>
> /etc/ipsec.conf contains:
>
> (on jekyl)
>
> conn zepto
> type=tunnel
> keyexchange=ike
> keyingtries=3
> pfs=yes
> authby=rsasig
> # local
> left=11.22.33.44
> leftsubnet=10.0.1.0/24
> leftid=jekylID at jekyldomain.com
> leftcert=jekylCert.pem
> # remote
> right=44.33.22.11
> rightsubnet=10.0.2.0/24
> rightid=zeptoID at zeptodomain.com
> rightcert=zeptoCert.pem
> auto=start
>
> (on zepto)
>
> conn jekyl
> type=tunnel
> keyexchange=ike
> keyingtries=3
> pfs=yes
> authby=rsasig
> # local
> left=44.33.22.11
> leftsubnet=10.0.2.0/24
> leftid=zeptoID at zeptodomain.com
> leftcert=zeptoCert.pem
> # remote
> right=11.22.33.44
> rightsubnet=10.0.1.0/24
> rightid=jekylID at jekyldomain.com
> rightcert=jekylCert.pem
> auto=start
>
> #----------------------#
> # firewall config #
> #----------------------#
>
> the following iptables commands must be run:
>
> (on grendal)
>
> # send all IPsec related traffic to the IPsec gateway
> /sbin/iptables --table nat --append PREROUTING --in-interface inet_fr --protocol udp --source-port 500 --destination-port 500 --jump DNAT --to-destination 192.168.0.1
> /sbin/iptables --table nat --append PREROUTING --in-interface inet_fr --protocol ah --jump DNAT --to-destination 192.168.0.1
> /sbin/iptables --table nat --append PREROUTING --in-interface inet_fr --protocol esp --jump DNAT --to-destination 192.168.0.1
>
> # allow all IPsec traffic to pass through to the IPsec gateway
> /sbin/iptables --table filter --append FORWARD --in-interface inet_fr --protocol udp --destination 192.168.0.1 --destination-port 500 --jump ACCEPT
> /sbin/iptables --table filter --append FORWARD --in-interface inet_fr --protocol ah --destination 192.168.0.1 --jump ACCEPT
> /sbin/iptables --table filter --append FORWARD --in-interface inet_fr --protocol esp --destination 192.168.0.1 --jump ACCEPT
>
----- End forwarded message -----
More information about the Users
mailing list