[Openswan Users] defining connection
John A. Sullivan III
john.sullivan at nexusmgmt.com
Thu Jun 17 23:57:44 CEST 2004
On Thu, 2004-06-17 at 08:28, giovanni.m at agilemovement.it wrote:
> Ciao,
>
> I'm using superfreeswan with nat-t to connect two servers using
> certificate-based authentication. It works very well from location A to
> location B, meaning that from A I can reach clients behind B. I can not get
> from B to clients behind the gateway A.
>
> This is probably because I haven't defined a connection from B to A. In doing
> so, I get confused because I can't figure out which certificates I'm supposed
> to put where.
>
> At the moment, connection A's ipsec.conf looks like this:
>
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> nat_traversal=yes
>
> conn %default
> #keyingretries=0
> leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
> CN=new_milano_cert, Email=administrator at cofax.it"
> left=192.168.0.1
> leftnexthop=192.168.0.254
> disablearrivalcheck=yes
> authby=rsasig
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> rekey=yes
> pfs=yes
> compress=no
> leftcert=certs/swanCert.pem
> auto=start
>
> conn milano-roma
> right=83.x.x.x
> rightsubnet=10.10.15.0/24
> rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
> CN=roma_cofax, Email=administrator at cofax.it"
> authby=rsasig
> rightrsasigkey=%cert
> leftrsasigkey=%cert
> auto=start
> pfs=yes
>
> and B looks like this:
>
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug="parsing control"
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> nat_traversal=yes
>
> virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0/24,%v4:10.10.14.0/24,%v4:10.10.15.0/24
>
> # Global connection defaults
>
> conn %default
> #keyingretries=0
> disablearrivalcheck=yes
> authby=rsasig
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> rekey=yes
> pfs=yes
> compress=no
> left=83.x.x.x
> leftnexthop=83.x.x.x
> leftsubnet=10.10.15.0/24
> leftrsasigkey=%cert
> leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
> CN=roma_cofax, Email=administrator at cofax.it"
> leftcert=certs/swanCert.pem
> auto=add
>
> conn milano-roma
> type=tunnel
> leftsubnet=10.10.15.0/24
> right=%any
> rightrsasigkey=%cert
> rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=cofax,
> CN=new_milano_cert, Email=administrator at cofax.it"
> auto=add
> rightsubnet=vhost:%no,%priv
>
> Two questions come to mind:
>
> 1) should A have a subnet vhost definition to make its subnet visible to B?
>
> 2) do I need to put the swanCert.pem for B in the certs folder on A? How does
> A check the pem's authenticity? Do I need to put B's cacert on A too?
<snip>
A few things look awry here although I admit to being quite tired while
looking at this :-(
First, a few simple points.
Yes, you will need to define the subnets on each side if you want a
subnet to subnet connection.
You should put the CA cert in the cacerts directory. That will allow
each side to trust the cert the other side furnishes.
I always set disablearrivalcheck to no.
However, I am surprised this is working at all. As far as I know,
OpenSWAN provides a NAT-T gateway but not a NAT-T client. How does B
find A across the Internet if A has an address of 192.168.0.1? I know B
is set to %any so it will accept the packet from the NAT address of A
but I would think the tunnel end point definitions will not match. Are
you testing on a local network rather than across the Internet? Then
again, perhaps something has changed as I have not stayed current with
*swan development for a while.
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
More information about the Users
mailing list