[Openswan Users] OPENSWAN 0.0.0.0/0 doesn't work.

JH security at hammerjammer.net
Fri Mar 11 02:18:45 CET 2005


Hi Everyone,

I am setting up Openswan for  the 1st time and have run into a 
problem - am hoping someone can help me out here. :)

I currently am using a WLAN and am trying to encrypt ALL traffic to 
networks sitting on the other side of my openswan gateway.  The path 
is like this:

laptop-->WLAN--->openswan--->office netwk--->router--->internet

I am able to get a basic setup working but face a problem: 
it is only encrypting packets with a destination address to the 
office network.  All other packets going to the internet are sent 
across the WLAN in the clear before hitting openswan.  I was 
expecting openswan to encrypt EVERYTHING travelling over the WLAN and 
ONLY pop ALL packets out in the office network in the clear.  

When i try to put 0.0.0.0/0 as some have recommended, I end up NOT 
getting any kind of encryption at all.

After reading many articles on Openswan, i am now thoroughly confused 
- some people say you have to swap sides for client and gateway (ie. 
left on gateway is right on client) and others say you have to keep 
the configs the same on both.  

My GW ipsec.conf config is:

conn %default
			keyingtries=0
			disablearrivalcheck=no
			authby=rsasig
			rightrsasigkey=%cert

conn nwstudent			
			auto=add
			# vpn gateway
			left=192.168.1.200
			leftsubnet=10.1.1.0/24 (when i try to change to 0.0.0.0/0, nothing 
gets encrypted and all packets are sent clear-text)
			leftcert=vpnservercert.pem
			# remote client
right=%any

conn gwstudent
			auto=add
			# vpn gateway
			left=192.168.1.200
			leftcert=vpnservercert.pem
			# remote site
			right=%any


My laptop ipsec.conf config (using the ipsec tool from Marcus Muller) 
is:

conn nwstudent
			network=lan
			auto=start
			left=%any
			right=192.168.1.200
			rightsubnet=10.1.1.0/24 (changing this to 0.0.0.0/0 makes it fail)
			rightca="C=X, L=X, O=X, OU=X, CN=X"  
    pfs=yes

conn gwstudent
			network=lan
			auto=start
			left=%any
			right=192.168.1.200
			rightca="C=X, L=X, O=X, OU=X, CN=X"  
    pfs=yes

Could anyone tell me whether the left and right values need to be 
shifted around and whether my settings above are missing anything?  
I've checked the certs and the program runs fine - the only thing is 
that 0.0.0.0/0 does not seem to work when put into both ends of the 
config files.  

If i put in 10.1.1.0/24, which is my office network, all packets to 
that network are encrypted over the WLAN but i would like for EVERY 
single packet to be encrypted , including DNS lookups to the 
internet, as they travel over the WLAN segment.


Does Openswan insist that much about gateway MUST be left or right or 
whatever?

Thanks for any assistance you can render.  
Things like this (i.e. differing views on left and right of openswan 
and different people telling me different things) make me understand 
why many companies still prefer microsoft products over having to 
support linux in a corporate production end-user-environment.

Many thanks in advance,
J.Ho



More information about the Users mailing list