[Openswan Users] OPENSWAN 0.0.0.0/0 doesn't work.
JH
security at hammerjammer.net
Fri Mar 11 02:18:45 CET 2005
Hi Everyone,
I am setting up Openswan for the 1st time and have run into a
problem - am hoping someone can help me out here. :)
I currently am using a WLAN and am trying to encrypt ALL traffic to
networks sitting on the other side of my openswan gateway. The path
is like this:
laptop-->WLAN--->openswan--->office netwk--->router--->internet
I am able to get a basic setup working but face a problem:
it is only encrypting packets with a destination address to the
office network. All other packets going to the internet are sent
across the WLAN in the clear before hitting openswan. I was
expecting openswan to encrypt EVERYTHING travelling over the WLAN and
ONLY pop ALL packets out in the office network in the clear.
When i try to put 0.0.0.0/0 as some have recommended, I end up NOT
getting any kind of encryption at all.
After reading many articles on Openswan, i am now thoroughly confused
- some people say you have to swap sides for client and gateway (ie.
left on gateway is right on client) and others say you have to keep
the configs the same on both.
My GW ipsec.conf config is:
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
conn nwstudent
auto=add
# vpn gateway
left=192.168.1.200
leftsubnet=10.1.1.0/24 (when i try to change to 0.0.0.0/0, nothing
gets encrypted and all packets are sent clear-text)
leftcert=vpnservercert.pem
# remote client
right=%any
conn gwstudent
auto=add
# vpn gateway
left=192.168.1.200
leftcert=vpnservercert.pem
# remote site
right=%any
My laptop ipsec.conf config (using the ipsec tool from Marcus Muller)
is:
conn nwstudent
network=lan
auto=start
left=%any
right=192.168.1.200
rightsubnet=10.1.1.0/24 (changing this to 0.0.0.0/0 makes it fail)
rightca="C=X, L=X, O=X, OU=X, CN=X"
pfs=yes
conn gwstudent
network=lan
auto=start
left=%any
right=192.168.1.200
rightca="C=X, L=X, O=X, OU=X, CN=X"
pfs=yes
Could anyone tell me whether the left and right values need to be
shifted around and whether my settings above are missing anything?
I've checked the certs and the program runs fine - the only thing is
that 0.0.0.0/0 does not seem to work when put into both ends of the
config files.
If i put in 10.1.1.0/24, which is my office network, all packets to
that network are encrypted over the WLAN but i would like for EVERY
single packet to be encrypted , including DNS lookups to the
internet, as they travel over the WLAN segment.
Does Openswan insist that much about gateway MUST be left or right or
whatever?
Thanks for any assistance you can render.
Things like this (i.e. differing views on left and right of openswan
and different people telling me different things) make me understand
why many companies still prefer microsoft products over having to
support linux in a corporate production end-user-environment.
Many thanks in advance,
J.Ho
More information about the Users
mailing list