[Openswan Users]

[Paul Wouters]

On Tue, 11 Jan 2005, Fabian Aichele wrote:

> > If you are going to use X.509 openswan-openswan, I strongly 
> > recommend switching to openswan-2. If debian contains the 
> > NETKEY ipsec stack, this will not work on openswan-1.
> Is the NETKEY ipsec stack part of a kernel patch or part of OpenSWAN or
> another user space program?

NETKEY is the 'native' 2.6 ipsec kernel code (af_key.o/afkey_ko and esp4.o/esp4.ko)

> If the setup attempts with OpenSWAN 1.x fail, I will consider this, but
> the 2.4 kernel version I am using is running smoothly, and I'd prefer
> switching the kernel on the machines only as a last resort.

I am not keeping close track of Debian kernels. If that kernel has netkey
code, openswan-1 simple cannot work. It has no netlink support to talk to
the NETKEY code. If that kernel has KLIPS (ipsec.o) then it can work with
either openswan-1 or openswan-2, and you need to pick whatever matches the
version of your ipsec.o module. You can't use ipsec.o from openswan-2 with
openswan-1 userland.

> > Try filling in the nexthop= to point to your default gateway ip.
> Is it a problem if the default gateways for both DSL connections are
> connected within the same subnet range?

For KLIPS you cannot have two default gateways unless you are specifying
an interfaces= line that covers both interfaces. Then you can also not
use left=%defaultroute, but you have to specify the IP. One IP cannot be
on two different interfaces.
 
> Are the "nexthop" specifications definitely important in the case of
> non-static IP addresses?

nexthop is only used for KLIPS. Sometimes it is neccessary to ensure
packets are routed to the proper ipsecN interface so they are processed
by KLIPS.
 
> > In general it seems determining the nexthop setting to deduce 
> > to interface when using KLIPS seems to work better when the 
> > local machine is left= instead of right=. I am not sure why this is.
> I am a bit confused about "left" and "right"; the ipsec.conf manual page
> states
> "Which participiant is considered left or right is arbitrary", but as
> you say, this doesn't seem to be the case.

Correct, the exception to this are roadwarrior setups and those setups
that use interfaces=%defaultroute.

> To get to the my connection setup attempt again:
> The "left" machine is the local machine (the one that is supposed to
> initiate an IPSEC tunnel via auto=start for the corresponding connection
> specification), whereas the "right" machine is the one to wait for
> connection attempts (via auto=add).

That's okay. But on the other side (eg right), i would make the local
machine 'left' too. Eg do not have identical copies of ipsec.conf, but
swap left and right.

Paul