[Openswan Users] defining connection

giovanni.m at agilemovement.it giovanni.m at agilemovement.it
Thu Jun 17 13:28:20 CEST 2004 

Ciao,

I'm using superfreeswan with nat-t to connect two servers using
certificate-based authentication. It works very well from location A to
location B, meaning that from A I can reach clients behind B. I can not get
from B to clients behind the gateway A.

This is probably because I haven't defined a connection from B to A. In doing
so, I get confused because I can't figure out which certificates I'm supposed
to  put where.

At the moment, connection A's ipsec.conf looks like this:

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

conn %default
        #keyingretries=0
        leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=administrator at cofax.it"
        left=192.168.0.1
        leftnexthop=192.168.0.254
        disablearrivalcheck=yes
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        rekey=yes
        pfs=yes
        compress=no
        leftcert=certs/swanCert.pem
        auto=start

conn milano-roma
        right=83.x.x.x
        rightsubnet=10.10.15.0/24
        rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        auto=start
        pfs=yes

and B looks like this:

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug="parsing control"
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes
       
virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0/24,%v4:10.10.14.0/24,%v4:10.10.15.0/24

# Global connection defaults

conn %default
        #keyingretries=0
        disablearrivalcheck=yes
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        rekey=yes
        pfs=yes
        compress=no
        left=83.x.x.x
        leftnexthop=83.x.x.x
        leftsubnet=10.10.15.0/24
        leftrsasigkey=%cert
        leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
        leftcert=certs/swanCert.pem
        auto=add

conn milano-roma
        type=tunnel
        leftsubnet=10.10.15.0/24
        right=%any
        rightrsasigkey=%cert
        rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
CN=new_milano_cert, Email=administrator at cofax.it"
        auto=add
        rightsubnet=vhost:%no,%priv

Two questions come to mind:

1) should A have a subnet vhost definition to make its subnet visible to B?

2) do I need to put the swanCert.pem for B in the certs folder on A? How does
A check the pem's authenticity? Do I need to put B's cacert on A too?

Many thanks in advance for any advice.

Giovanni

More information about the Users mailing list