[Openswan Users] Newbie and wireless home network experiments

Johannes Graumann graumann at caltech.edu
Thu Oct 28 01:11:14 CEST 2004 

Ladies and Gentleman,

I'm very new to this and just started an attempt to get my wireless
homenetwork IPSECed. I am trying to follow this document:
http://www.natecarlson.com/linux/ipsec-x509.php#clientopenswan

The topology of my network is as follows:
- dsl feeds into firewall/dhcp/backup server (192.168.1.1)
- second NIC serves the wireless network through a linksys wap11 
- the machine I'm experimenting with right now is my laptop which gets
192.168.1.3 from the server.

I have succeded in setting openswan up such that communications between
the server and the laptop are being IPSECed. If I do "ping server" on my
laptop after starting the wireless connection below, tcpdump on the
laptop gives me
23:55:11.706233 IP server > 192.168.1.3: ESP(spi=0xd4e3b915,seq=0x1b)
23:55:11.706233 IP server > 192.168.1.3: icmp 64: echo reply seq 27
which confuses me a little: is this indicative of the packet traveling
encrypted as well as in the clear or do I see the same packet before and
after decryption?

The second question I have is: how do I set up a connection that will
not only IPSEC the specific laptop/server traffic, but also establish an
IPSEC pipe for the NATed traffic that reaches the laptop from the
outside through the server?

Any hints (forcefull ones too) would be highly appreciated.

Thanks for helping the newbie!

Joh

My /etc/ipsec.confs look as follows:
LAPTOP:
config setup
        interfaces=%defaultroute
        nat_traversal=yes

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn wireless
        left=192.168.1.1
        leftcert=server.homenetwork.pem
        right=192.168.1.3
        rightcert=laptop.homenetwork.pem
        auto=add
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

SERVER:
config setup
        interfaces="ipsec0=eth1"
        nat_traversal=yes
        virtual_private=%v4:192.168.1.0/24
 
conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
 
conn wireless
        left=192.168.1.1
        leftcert=server.homenetwork.pem
        right=192.168.1.3
        rightcert=laptop.homenetwork.pem
        auto=add
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list