[Openswan Users] AW: VPN-1 Edge X to Openswan success (AES)
Martin Schwartz
Martin.Schwartz at ieee.org
Mon Dec 12 21:44:10 CET 2005
OOOPS, I confused the two values for keylife and ikelifetime! They should be
> keylife=3600s #(Phase 2)
> ikelifetime=28800s #(Phase 1)
according to the VPN-1 config below (even if I don't really know if that's
the right way to do it - the Openswan defaults are just the other way
round!)
Cheers,
Martin.
> -----Ursprüngliche Nachricht-----
> Von: Martin Schwartz [mailto:Martin.Schwartz at ieee.org]
> Gesendet: Sonntag, 11. Dezember 2005 19:41
> An: 'users at lists.openswan.org'
> Betreff: VPN-1 Edge X to Openswan success (AES)
>
> Hi folks,
> just wanted to let you know that the small VPN-1 Edge X boxes
> offered by Checkpoint support VPNs with Openswan quite well.
> I just managed to get the following configuration running:
>
> Left: Suse Linux 9.3 Server with openswan-2.3.0-1suse9x
> (Example IP 1.2.3.4, no network or NAT, name "hostname.com")
> Right: Private NATed network 192.168.0.0/24 with VPN-1 Edge X
> (X32), Embedded NG Version 5.0.94x (Example IP 5.6.7.8)
> VPN: AES256-SHA1, DH group 5.
>
> 1. Openswan config (only added the two conns to
> /etc/ipsec.conf, all other stuff left default):
>
> conn local-net
> authby=secret
> type=tunnel
> auth=esp
> esp=aes256-sha1
> keyexchange=ike
> ike=aes256-sha-modp1536
> keylife=28800s
> ikelifetime=3600s
> left=1.2.3.4
> right=5.6.7.8
> rightsubnet=192.168.0.0/24
> pfs=yes
> auto=start
>
> conn local-fw
> authby=secret
> type=tunnel
> auth=esp
> esp=aes256-sha1
> keyexchange=ike
> ike=aes256-sha-modp1536
> keylife=28800s
> ikelifetime=3600s
> left=1.2.3.4
> right=5.6.7.8
> rightsubnet=5.6.7.8/32
> pfs=yes
> auto=start
>
> Note that you need at least TWO connection entries if you
> plan a VPN net--host (i.e. one conn for net--host and a
> separate one for host--host), and FOUR if it's a net--net VPN
> (which would be needed for host--net, net--net, net--host,
> and host--host communication - EVEN if you don't actually
> make use of this!). Don't forget to add a proper secret to
> ipsec.secrets:
>
> 1.2.3.4 5.6.7.8: PSK "secret!"
>
> 2. VPN-1 cfg (best configured by just SSHing to your box as
> "admin", i.e. ssh -l admin my.firewall):
>
> clear vpn sites
> add vpn sites disabled false name hostname.com gateway
> 1.2.3.4 gateway2 undefined loginmode automatic configmode
> manual authmethod sharedsecret type sitetosite keepalive
> enabled bypassnat enabled bypassfw disabled user "" password
> secret! topopass "" net1 1.2.3.4 netmask1 255.255.255.255
> net2 undefined netmask2 255.255.255.0 net3 undefined netmask3
> 255.255.255.0 usepfs true phase1ikealgs aes256/sha1
> phase1exptime 28800 phase2ikealgs aes256/sha1 phase2exptime
> 3600 phase1dhgroup group5 phase2dhgroup group5 dnsname wsap.net
>
> In addition, if you set "bypassfw disabled" as I did, you
> need one or two rules to enable traffic inside your VPN
> (these rules can also be configured using the web interface,
> and further restricted according to your needs):
>
> add fw rules service any action allow src hostname.com dest
> lan ports 0 protocol any qosclass Default redirectport 0
> index 1 log false disabled false
> add fw rules service any action allow src lan dest
> hostname.com ports 0 protocol any qosclass Default
> redirectport 0 index 2 log false disabled false
>
> If all works well, upon activating your VPN on the Linux box
> (rcipsec start) and the Edge-X appliance (via web interface),
> the following entries should appear in your VPN-1 log:
> 00058 Dec 11 07:15:15 PM IKE Phase2: Completed
> successfully with VPN peer 85.214.25.18 [My Ranges:
> 192.168.0.0-192.168.0.255 Peer Ranges: 1.2.3.4-1.2.3.4
> Security: AES-256/SHA1 Expire time: 1 hour(s), 0 second(s)
> NAT-T: turned off]
> 00057 Dec 11 07:14:40 PM IKE Phase2: Completed
> successfully with VPN peer 1.2.3.4 [My Ranges:
> 5.6.7.8-5.6.7.8 Peer Ranges: 1.2.3.4-1.2.3.4 Security:
> AES-256/SHA1 Expire time: 1 hour(s), 0 second(s) NAT-T: turned off]
> 00056 Dec 11 07:14:39 PM IKE Phase1: Completed
> successfully with VPN peer 1.2.3.4 [Security: AES-256/SHA1
> Expire Time: 7 hour(s), 59 minute(s), 58 second(s) NAT-T: turned off]
>
> Have fun,
> Martin.
>
More information about the Users
mailing list