[Openswan Users] VPN-1 Edge X to Openswan success (AES)
Martin Schwartz
Martin.Schwartz at ieee.org
Sun Dec 11 19:40:43 CET 2005
Hi folks,
just wanted to let you know that the small VPN-1 Edge X boxes offered by
Checkpoint support VPNs with Openswan quite well. I just managed to get the
following configuration running:
Left: Suse Linux 9.3 Server with openswan-2.3.0-1suse9x (Example IP 1.2.3.4,
no network or NAT, name "hostname.com")
Right: Private NATed network 192.168.0.0/24 with VPN-1 Edge X (X32),
Embedded NG Version 5.0.94x (Example IP 5.6.7.8)
VPN: AES256-SHA1, DH group 5.
1. Openswan config (only added the two conns to /etc/ipsec.conf, all other
stuff left default):
conn local-net
authby=secret
type=tunnel
auth=esp
esp=aes256-sha1
keyexchange=ike
ike=aes256-sha-modp1536
keylife=28800s
ikelifetime=3600s
left=1.2.3.4
right=5.6.7.8
rightsubnet=192.168.0.0/24
pfs=yes
auto=start
conn local-fw
authby=secret
type=tunnel
auth=esp
esp=aes256-sha1
keyexchange=ike
ike=aes256-sha-modp1536
keylife=28800s
ikelifetime=3600s
left=1.2.3.4
right=5.6.7.8
rightsubnet=5.6.7.8/32
pfs=yes
auto=start
Note that you need at least TWO connection entries if you plan a VPN
net--host (i.e. one conn for net--host and a separate one for host--host),
and FOUR if it's a net--net VPN (which would be needed for host--net,
net--net, net--host, and host--host communication - EVEN if you don't
actually make use of this!). Don't forget to add a proper secret to
ipsec.secrets:
1.2.3.4 5.6.7.8: PSK "secret!"
2. VPN-1 cfg (best configured by just SSHing to your box as "admin", i.e.
ssh -l admin my.firewall):
clear vpn sites
add vpn sites disabled false name hostname.com gateway 1.2.3.4 gateway2
undefined loginmode automatic configmode manual authmethod sharedsecret type
sitetosite keepalive enabled bypassnat enabled bypassfw disabled user ""
password secret! topopass "" net1 1.2.3.4 netmask1 255.255.255.255 net2
undefined netmask2 255.255.255.0 net3 undefined netmask3 255.255.255.0
usepfs true phase1ikealgs aes256/sha1 phase1exptime 28800 phase2ikealgs
aes256/sha1 phase2exptime 3600 phase1dhgroup group5 phase2dhgroup group5
dnsname wsap.net
In addition, if you set "bypassfw disabled" as I did, you need one or two
rules to enable traffic inside your VPN (these rules can also be configured
using the web interface, and further restricted according to your needs):
add fw rules service any action allow src hostname.com dest lan ports 0
protocol any qosclass Default redirectport 0 index 1 log false disabled
false
add fw rules service any action allow src lan dest hostname.com ports 0
protocol any qosclass Default redirectport 0 index 2 log false disabled
false
If all works well, upon activating your VPN on the Linux box (rcipsec start)
and the Edge-X appliance (via web interface), the following entries should
appear in your VPN-1 log:
00058 Dec 11 07:15:15 PM IKE Phase2: Completed successfully
with VPN peer 85.214.25.18 [My Ranges: 192.168.0.0-192.168.0.255 Peer
Ranges: 1.2.3.4-1.2.3.4 Security: AES-256/SHA1 Expire time: 1 hour(s), 0
second(s) NAT-T: turned off]
00057 Dec 11 07:14:40 PM IKE Phase2: Completed successfully
with VPN peer 1.2.3.4 [My Ranges: 5.6.7.8-5.6.7.8 Peer Ranges:
1.2.3.4-1.2.3.4 Security: AES-256/SHA1 Expire time: 1 hour(s), 0 second(s)
NAT-T: turned off]
00056 Dec 11 07:14:39 PM IKE Phase1: Completed successfully
with VPN peer 1.2.3.4 [Security: AES-256/SHA1 Expire Time: 7 hour(s), 59
minute(s), 58 second(s) NAT-T: turned off]
Have fun,
Martin.
More information about the Users
mailing list